How trust works in gpg...

Peter Lewis prlewis at
Tue Apr 15 11:52:51 CEST 2008

On Monday 14 April 2008 at 23:42:43 Herbert Furting wrote:
> If the new UID just contains a new email address, you should really
> check if the keyholder "controlls" that email address.
> You can do so, by sending him an encrypted challenge.

Ah, thanks, that makes sense. And then I can sign his new UIDs too? Or just 
change their trust level?

> > I was under the impression that the trust would be inferred automatically
> > by gpg, according to the trust rules
> > ("completes-needed", "marginals-needed", "max-cert-depth").
> > For example, in this case, I have trusted his key fully, and he has
> > signed his UID, which is one complete link (or two from my own key),
> > right? If not, what is the purpose of these parameters?
> First of all,... you don't sign a key,.. you sign the UID for a key.
> The trust stuff is there to let you recognize other keys as valid,...
> that your directly signed people signed them self.
> e.g. If you trust Bill, who signed Joe,.. you might (depending on which
> trust, and your settings) consider Joe's signatures to,... and even
> trust him ;)

Thanks, this is helpful. So, if I have to set the trust of other keys myself 
in order to recognise them as valid, what is the function of 
the "completes-needed", "marginals-needed" and "max-cert-depth" options in my 
gpg.conf file?

Thanks again!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20080415/8f9b1259/attachment.pgp>

More information about the Gnupg-users mailing list