Several questions as feedback on gnupg

David Shaw
Wed Jan 23 19:18:01 2002

On Wed, Jan 23, 2002 at 04:45:10PM +0100, Loic Bernable wrote:

> - I realized during a demonstration that no authentication is needed
>   when modifying the trust values, and in particular assigning a higher
>   trust value. Can't it be a problem ? If someone change the trust value
>   of his (or another) key that was in "no trust" mode, and set it as
>   "full trust", I will trust the signed keys without being warned i use
>   this key ; with this configuration, I should know what are the keys I 
>   trust and so not rely on the othentications made by the software ...

There are two different trust values.  The one you are talking about
here is the "owner trust".  It tells GnuPG how well you trust the
owner of that key to sign other keys.  Nobody can change their own
owner trust without walking up to your computer and doing it - it is
not part of the key.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson