How trust works in gpg...

Peter Lewis prlewis at
Tue Apr 15 00:20:29 CEST 2008

Thanks Herbert, David, for the quick replies.

On Monday 14 April 2008 at 22:50:46 Herbert Furting wrote:
> Trust and signatures are different things (of course they are
> connected).
> You can change the trust on the key with the "trust" command when
> editing his key.

Ah yes, thanks. So I have now set the owner-trust for his key to "full", but 
still it says "unknown" for the other UIDs. So, I should manually set the 
trust for keys / UIDs that I think I trust based on who has signed them?

I was under the impression that the trust would be inferred automatically by 
gpg, according to the trust rules 
("completes-needed", "marginals-needed", "max-cert-depth").

For example, in this case, I have trusted his key fully, and he has signed his 
UID, which is one complete link (or two from my own key), right?

If not, what is the purpose of these parameters?

On Monday 14 April 2008 at 22:55:43 David Shaw wrote:
> Yes.  It's fairly common to say "I signed a key", but in reality,
> you're signing a UID on a key.  Thus, the UID that you signed is
> marked as valid, but the UID you didn't sign isn't.  If you want that
> UID to be valid as well, you need to sign it too.

Is there any reason not to do this? I.e. is it possible for someone else to 
upload a UID to his key and make it look like he's signed it?

Sorry for the newbie questions!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20080414/76485e8e/attachment.pgp>

More information about the Gnupg-users mailing list