tracing the Web of Trust?

[Charles Mauch]

Quoting "Michael W. Lucas" <mwlucas at blackhelicopters.org>:
> I'm trying to learn if there's a tool to trace the web of trust 
> between two keys.
>
> For example, suppose I get an email from someone I've never heard of 
> and want to learn if there is any valid chain of signatures leading 
> from me to him.

If your using an old version of gnupg, you can use Darxus's sigtrace[1] and
mutt-sigtrace[2] to display pgp signature path traces inline with the pgp
signature verification of your MUA. (I use mutt)

I maintain some newer[3] versions of these same scripts, which works with
gnupg's --with-colons mode.  The end result isn't quite as pretty, but it
does work.

You can also use wotsap[4] data to determine a signature path.  I
discovered it after I'd customized sigtrace for my own use.

There are a variety of web-enabled tools to achieve the same results if
your only interested in casual tracing.  The most well known of these I
think is probably Jason Harris's keyserver which can be used by playing
with the following url:

http://keyserver.kjsl.com/~jharris/gpgwww.cgi?from=0xkeyid&to=0xkeyid

Once I started tracing all the pgp keys that I came across, I noticed my
attitudes toward key trust changed.  For example, I used to think CA Robots
were a great idea.  Now i tend to not trust any key verified through a CA
robot.  You really start to appreciate the WoT for what it is when you see
it in action all day long.

[1] http://www.chaosreigns.com/code/sigtrace/
[2] http://www.chaosreigns.com/code/mutt-sigtrace/
[3] http://charles.mauch.name/code/sigtrace/
[4] http://www.lysator.liu.se/~jc/wotsap/

-- 
Regards,
Charles Mauch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050812/63de760c/attachment.pgp