Why is ~/.gnupg/trustdb.gpg readable by all?
Thu Feb 8 01:19:02 2001
On Wednesday 07 February 2001 14:28, George Sinclair wrote:
> Bear with me a moment while I ramble away with some prefatory
> When a key is created, a trust value pair is associated with
> the key. The first is the assigned owner trust, and the second is the
> calculated trust value. This is always '-/u' ('-' = No owner-trust
> assigned or not yet calculated, 'u'=Ultimately trusted).
Thanks for that thoughtful explanation. I am brand new to the list, so
forgive me if I'm about to ask a FAQ, but you've touched on a question
that I am struggling with. How does a newcomer jumpstart their
connection to the web of trust?
I've been a regular on various mailing lists and newsgroups for years.
I have a lot of friends on line but most of them I have never met face
to face and probably never will. I've known about PGP for years and
GnuPG for a while but have not actually had much of a need for them
until quite recently.
So I'm a new kid on the block. I've got a couple of key sets for home
and work. I've signed my own keys, but they haven't been signed by
anyone else. Likewise, I've imported a bunch of other peoples' keys.
Some of them have been signed by lots of other people, but I haven't
signed any of them except the two or three that I have met face to
face, exchanged proper identification and all that. I don't go to a
lot of cons or whatever, so I don't have many opportunities to go to
Occasionally I get a signed email from someone and gpg reports it as a
bad signature. Further investigation reveals the sig is good but there
is no valid trust path to the signature. I embarrassed myself pretty
good before I figured out what that really meant.
I want to sign other peoples' keys, and get them to sign mine, in order
to become part of the web of trust all the docs talk about. As you've
said, I have to sign a key before it is considered fully trusted. But
all the docs say don't sign any key unless you have gone to some
extraordinary lengths to verify that person's identity. How do I
resolve that contradiction?
Bud Rogers <firstname.lastname@example.org> http://www.sirinet.net/~budr/zamm.html
All things in moderation. And not too much moderation either.
Finger email@example.com for gpg fingerprints.