trusting secret keys
dshaw at jabberwocky.com
Fri May 14 14:44:15 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, May 14, 2004 at 01:49:58AM -0400, Atom 'Smasher' wrote:
> why is it that even when a secret key is in the keyring, that key is not
> automatically given "ultimate trust"?
> i would think that if someone has possession of both the private and
> public pieces of a key, there's no reason why the key shouldn't be
> trusted... at least as a default. are there situations where one can't (or
> shouldn't) trust them self?
Yes. Since people can send secret keys around just as easily as they
send public keys, there is an attack that involves sending a secret
and public key together (which would then be ultimately trusted).
That allows someone to falsely influence your web of trust.
By not automatically giving ultimate trust to public keys when the
secret key is present, this attack is stopped.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
-----END PGP SIGNATURE-----
More information about the Gnupg-users