the GPG trust model

Joel N. Weber II devnull at
Mon Sep 30 21:41:02 CEST 2002

I'm not all that happy with the GPG trust model.

For example, there's the case of ssh host keys.  In general, I
understand which people ought to be signing which host keys; and
something claiming to be a host key for a particular host which is
signed by the wrong person is going to be somewhat suspect.

And if only the owner of a host signs that host's key, then it's going
to be awefully tempting to just tell GPG that I always trust that
person to sign keys.

There's also the problem of people who cross-sign their own keys.  I'm
willing to trust cross signed keys somewhat morethan I'm willing to
trust a key to sign other people's keys in some cases, and GPG doesn't
give me an easy way to express that.

Yes, I can lsign keys as needed, but that feels ugly.  And it doesn't
help me very much if I copy only my public keyring from one host to
another, so that I can verify signatures on a machine which I don't
happen to need my private key on.

I'd really like something for which the algorithm for deciding whether
to trust a key is to show me the trust path to that key, and then let
me decide whether I trust that key based on that.

More information about the Gnupg-devel mailing list