How trust works in gpg...

Peter Lewis prlewis at letterboxes.org
Tue Apr 15 14:23:01 CEST 2008 

On Tuesday 15 April 2008 at 12:39:43 Herbert Furting wrote:
> gpg uses a so called trust modell (there ary actually several
> different), where you can each UID/key an specific amount of trust.
> You can give:
>                  n         Never trust this key.
>                  m         Marginally trusted.
>                  f         Fully trusted.
>                  u         Ultimately trusted.
> and you'll also see:
>                  -         No ownertrust assigned / not yet calculated.
>                  e         Trust  calculation  has  failed; probably due to
> an expired key.
>                  q         Not enough information for calculation.
>
> (I've stole that from the manpage,.. so credit should go to Werner or
> some of the other developers ;) )
>
>
> Depending on how much you trust a user you normally give him n (e.g.
> your little brother who signs every key/uid without validating it, m
> or f and rarely perhaps even u (your wife, which you fully trust
> *g*.... or not).
> u means that you automatically recognize the key/UIDs that keyholder
> made as valid
> completes-needed specify how many trust-paths you need to a key from
> keys you trust fully.
> marginals-needed is the same for marginally trusted keys.
>
> suppose you are A and have signed following key/UIDs with following
> trust values:
> B(f)
> C(f)
> D(m)
> E(m)
> Now your gpg gets the key F, which you haven't signed yourself, but
> the others have, thus you'll have the following trust-paths:
> A->B(f)-F
> A->C(f)-F
> A->D(m)-F
> A->E(m)-F
>
> Suppose marginals-needed=3 and completes-needed=2:
> The two paths
> A->D(m)-F
> A->E(m)-F
> are not enough the recognize F as valid, because you'd need tree ?(m)
> paths, but the two other pathes are enough.

Thanks, that makes sense.

So I guess my question is: is this a guide for me, and then I should manually 
set the trust level on key F myself (if I am satisfied that the chains 
exist), or should gpg do this automatically for me based on the parameters in 
my gpg.conf? It doesn't seem to be calculating anything automatically at the 
moment.

Thanks,

Pete.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20080415/aa956498/attachment.pgp>

More information about the Gnupg-users mailing list