trust

Michael Nahrath gnupg-users@nahrath.de
Tue Dec 10 12:05:02 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Pic=C3=B3n =C3=81lvarez <eleuteri@myrealbox.com> schrieb am 2002-12-10 04:02
Uhr:
=20
> Is it any use to specify trust for a non-valid (i.e. a key I haven't sign=
ed
> and no one I know has signed) key?

IMHO: Yes it is.
=20
> This way I could just say I trust, let's say, WK to sign keys competently=
. I
> understand that it seems to make little sense to assert I trust him and a=
t
> the same time I don't know for sure his key is his.

It needs two independend things before the ownertrust you set for a key
comes into action for building up calculated trust to other keys.

You need to raise the ownnertrust to this key AND there must be some proof
inside your keyring that this key realy belongs to his owner. This may be
your direct signature but it may as well be someone else's (trusted)
signature.  =20

> The difference is the
> following: if I decide to take the risk and assume his key is his and thu=
s
> trust his signatures, that's only my problem.

But you should not do this without personal verification.

Imagine you set ownertrust for key 0x5B0358A2 <wk@gnupg.org> now.

Currently that won't change anything.

But imagine that next week you had an occation to meet with Josh Huber
(just as an example) and sign his key 0x6B21489A.

Suddenly WK's key will be valid in your keyring and all keys it has signed
will inherit calculated trust. All because Josh has signed Werner.

Let's go one step further. You don't travel that much, but Dragos Necula
happens to visit Boston. He meets and excanges signatures with Josh Huber.
If you had given ownertrust to Josh Huber's (at that time still invalid)
key before with Dragos' Signature to Josh's key at a sudden all signatures
from Werner's key will produce computed trust to those keys that you have
in your keyring and that Werner has signed.

Greeting, Michi

P.S.: I hope it doesn't break some kind of nettiquete or is in other ways
considered impolite to make examples with real people's keys. Pleas tell me
if it does!


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.1 (Darwin)

iEYEARECAAYFAj31ypsACgkQ19dRf5pMcEyJHACgxvWOcjveaSVsLDVwmMD8bWY3
7T8AoP0uHKOr8//GKT3aWm8eG08XaZ16
=3Do4m+
-----END PGP SIGNATURE-----