trust owner => trust his key?

David Shaw dshaw at jabberwocky.com
Thu Jan 25 17:49:37 CET 2007 

On Thu, Jan 25, 2007 at 03:41:48PM +0100, Hans Ekbrand wrote:
> Hi gnupg-user!
> 
> I am new to the list. I have used gnupg for quite some time, mostly
> for signing.
> 
> I use debian and have installed the package "debian-keyring" which holds the
> public keys for the debian developers.
> 
> I have added a directive to .gnupg/gpg.conf to reflect this:
> 
> keyring /usr/share/keyrings/debian-keyring.gpg
> 
> Now I trust that these keys are valid (belong the right persons),
> since debian seems to have good process for establishing that.
> 
> I don't want to sign these keys myself, since I haven't checked the
> validity of them. I belive in the validity of them, but I would not to
> vouch for it.
> 
> I thought that if I put "Full" owner trust to some of the developers
> that would make all the keys valid (provided that enough of the
> developers had signed each others keys). (Based on a large number of
> emails I have read from debian-developers, I do trust some of them).
> 
> Putting "Full" owner trust in one person didn't implicate that his key
> was valid, which come to a suprise to me.
> 
> To sum up, I have two questions:
> 
> a) Why does not "Full" owner trust of a person implicate that that
>    persons key is valid? (If he can correctly validate correspondence
>    between other persons and keys why not trust him to do that on his
>    own key too?)

Owner trust doesn't mean "I trust this person" or "I trust that this
key belongs to the person it seems to".  It actually means "I trust
this key to sign other keys".  If you want to make a key valid, you
need to either sign it yourself (you can use 'lsign' if you want to
make a local signature that is for your own use, or 'sign' if you want
to make the signature publically for anyone to use).  Once a key is
valid, then its owner trust is taken into account with making keys
that it signed also valid.

> b) What should I do for gpg to recognise the keys in debian-keyring as
>    valid (should I sign them myself)?

You were on the right track before.  Just instead of giving full owner
trust to some of the developers, lsign their keys also.

David

More information about the Gnupg-users mailing list