How trust works in gpg...

Mark H. Wood mwood at IUPUI.Edu
Tue Apr 15 15:37:45 CEST 2008 

On Tue, Apr 15, 2008 at 01:23:01PM +0100, Peter Lewis wrote:
> So I guess my question is: is this a guide for me, and then I should manually 
> set the trust level on key F myself (if I am satisfied that the chains 
> exist), or should gpg do this automatically for me based on the parameters in 
> my gpg.conf? It doesn't seem to be calculating anything automatically at the 
> moment.

What it is meant to do I can't say, but I hope that it does *not*
assign trust to others' keys automatically.

What I would expect is that what gpg does on its own is to
authenticate a use of a key:  does this crypto blob have the
properties necessary to be judged a valid use of key X?  But the
*meaning* of that validity *to me* is a judgment that no machine can
make.  I should have to grant trust myself, because gpg cannot know
enough about me to do it for me.

I may trust B's handling of his own keys, but not trust B's judgments
about F's handling of *his* keys.  The safest thing for gpg to assume
is that I assign no trust at all until I have instructed it
otherwise.  B's signature on F's key is information that I might take
into consideration, but I might (for example) decide merely to
remember that datum and observe F's behavior for a while before
trusting F's key.

As for whether you should do anything about your associate's
additional UID, you should consider the proposition that what you are
willing to say to the world about your associate as an individual, and
what you are willing to say about his persona as a representative of
his employers, may be two different things.  For one thing, the
handling of his "company" UID may be dictated by policy beyond his
control and not altogether in his hands.

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: </pipermail/attachments/20080415/944ba827/attachment-0001.pgp>

More information about the Gnupg-users mailing list