How trust works in gpg...

Herbert Furting lhshas at googlemail.com
Tue Apr 15 00:42:43 CEST 2008


On Mon, 2008-04-14 at 23:20 +0100, Peter Lewis wrote:
> Ah yes, thanks. So I have now set the owner-trust for his key to "full", but 
> still it says "unknown" for the other UIDs. So, I should manually set the 
> trust for keys / UIDs that I think I trust based on who has signed them?
Sorry,.. I haven't read your initial post correctly.
As David said in the meantime new UIDs are of course _not_ recognised
automatically (a user could simply add a completely wrong name). You
have to sign the UID (better said, key+UID).
You should only do so, if the name is the same (or if you know that the
key holder goes by that name).

If the new UID just contains a new email address, you should really
check if the keyholder "controlls" that email address.
You can do so, by sending him an encrypted challenge.

> I was under the impression that the trust would be inferred automatically by 
> gpg, according to the trust rules 
> ("completes-needed", "marginals-needed", "max-cert-depth").
> For example, in this case, I have trusted his key fully, and he has signed his 
> UID, which is one complete link (or two from my own key), right?
> If not, what is the purpose of these parameters?
First of all,... you don't sign a key,.. you sign the UID for a key.

The trust stuff is there to let you recognize other keys as valid,...
that your directly signed people signed them self.
e.g. If you trust Bill, who signed Joe,.. you might (depending on which
trust, and your settings) consider Joe's signatures to,... and even
trust him ;)

Herbert.




More information about the Gnupg-users mailing list