How trust works in gpg...

Peter Lewis prlewis at
Tue Apr 15 14:23:01 CEST 2008

On Tuesday 15 April 2008 at 12:39:43 Herbert Furting wrote:
> gpg uses a so called trust modell (there ary actually several
> different), where you can each UID/key an specific amount of trust.
> You can give:
>                  n         Never trust this key.
>                  m         Marginally trusted.
>                  f         Fully trusted.
>                  u         Ultimately trusted.
> and you'll also see:
>                  -         No ownertrust assigned / not yet calculated.
>                  e         Trust  calculation  has  failed; probably due to
> an expired key.
>                  q         Not enough information for calculation.
> (I've stole that from the manpage,.. so credit should go to Werner or
> some of the other developers ;) )
> Depending on how much you trust a user you normally give him n (e.g.
> your little brother who signs every key/uid without validating it, m
> or f and rarely perhaps even u (your wife, which you fully trust
> *g*.... or not).
> u means that you automatically recognize the key/UIDs that keyholder
> made as valid
> completes-needed specify how many trust-paths you need to a key from
> keys you trust fully.
> marginals-needed is the same for marginally trusted keys.
> suppose you are A and have signed following key/UIDs with following
> trust values:
> B(f)
> C(f)
> D(m)
> E(m)
> Now your gpg gets the key F, which you haven't signed yourself, but
> the others have, thus you'll have the following trust-paths:
> A->B(f)-F
> A->C(f)-F
> A->D(m)-F
> A->E(m)-F
> Suppose marginals-needed=3 and completes-needed=2:
> The two paths
> A->D(m)-F
> A->E(m)-F
> are not enough the recognize F as valid, because you'd need tree ?(m)
> paths, but the two other pathes are enough.

Thanks, that makes sense.

So I guess my question is: is this a guide for me, and then I should manually 
set the trust level on key F myself (if I am satisfied that the chains 
exist), or should gpg do this automatically for me based on the parameters in 
my gpg.conf? It doesn't seem to be calculating anything automatically at the 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20080415/aa956498/attachment.pgp>

More information about the Gnupg-users mailing list