Why is ~/.gnupg/trustdb.gpg readable by all?

Bud Rogers budr@sirinet.net
Thu Feb 8 01:19:02 2001


On Wednesday 07 February 2001 14:28, George Sinclair wrote:


> Bear with me a moment while I ramble away with some prefatory
> rhetoric.
>
> When a key is created, a trust value pair is associated with
> the key. The first is the assigned owner trust, and the second is the
> calculated trust value. This is always '-/u' ('-' = No owner-trust
> assigned or not yet calculated, 'u'=Ultimately trusted).
Hello George, Thanks for that thoughtful explanation. I am brand new to the list, so forgive me if I'm about to ask a FAQ, but you've touched on a question that I am struggling with. How does a newcomer jumpstart their connection to the web of trust? I've been a regular on various mailing lists and newsgroups for years. I have a lot of friends on line but most of them I have never met face to face and probably never will. I've known about PGP for years and GnuPG for a while but have not actually had much of a need for them until quite recently. So I'm a new kid on the block. I've got a couple of key sets for home and work. I've signed my own keys, but they haven't been signed by anyone else. Likewise, I've imported a bunch of other peoples' keys. Some of them have been signed by lots of other people, but I haven't signed any of them except the two or three that I have met face to face, exchanged proper identification and all that. I don't go to a lot of cons or whatever, so I don't have many opportunities to go to key signings. Occasionally I get a signed email from someone and gpg reports it as a bad signature. Further investigation reveals the sig is good but there is no valid trust path to the signature. I embarrassed myself pretty good before I figured out what that really meant. I want to sign other peoples' keys, and get them to sign mine, in order to become part of the web of trust all the docs talk about. As you've said, I have to sign a key before it is considered fully trusted. But all the docs say don't sign any key unless you have gone to some extraordinary lengths to verify that person's identity. How do I resolve that contradiction? -- Bud Rogers <budr@sirinet.net> http://www.sirinet.net/~budr/zamm.html All things in moderation. And not too much moderation either. Finger budr@sirinet.net for gpg fingerprints.