How trust works in gpg...
lhshas at googlemail.com
Tue Apr 15 13:39:43 CEST 2008
2008/4/15 Peter Lewis <prlewis at letterboxes.org>:
> Ah, thanks, that makes sense. And then I can sign his new UIDs too? Or just
> change their trust level?
You'll "have" to sign his new UIDs, too.
What you could to is do issue a so called non-exportable (gpg uses the
term local, iirc) signature.
That means this signature is (better said should be) only recognized
by the signer (you) but not by other people.
> Thanks, this is helpful. So, if I have to set the trust of other keys myself
> in order to recognise them as valid, what is the function of
Yes,.. but not always,.. for example gpg sets your own key
automatically to an unlimited trust ;-)
> the "completes-needed", "marginals-needed" and "max-cert-depth" options in my
> gpg.conf file?
gpg uses a so called trust modell (there ary actually several
different), where you can each UID/key an specific amount of trust.
You can give:
n Never trust this key.
m Marginally trusted.
f Fully trusted.
u Ultimately trusted.
and you'll also see:
- No ownertrust assigned / not yet calculated.
e Trust calculation has failed; probably due to an
q Not enough information for calculation.
(I've stole that from the manpage,.. so credit should go to Werner or
some of the other developers ;) )
Depending on how much you trust a user you normally give him n (e.g.
your little brother who signs every key/uid without validating it, m
or f and rarely perhaps even u (your wife, which you fully trust
*g*.... or not).
u means that you automatically recognize the key/UIDs that keyholder
made as valid
completes-needed specify how many trust-paths you need to a key from
keys you trust fully.
marginals-needed is the same for marginally trusted keys.
suppose you are A and have signed following key/UIDs with following
Now your gpg gets the key F, which you haven't signed yourself, but
the others have, thus you'll have the following trust-paths:
Suppose marginals-needed=3 and completes-needed=2:
The two paths
are not enough the recognize F as valid, because you'd need tree ?(m)
paths, but the two other pathes are enough.
(@the others,.. was that correct?)
More information about the Gnupg-users