How trust works in gpg...
email at sven-radde.de
Tue Apr 15 16:56:59 CEST 2008
Mark H. Wood schrieb:
> The safest thing for gpg to assume
> is that I assign no trust at all until I have instructed it
AFAIK this is the default behaviour, isn't it?
You have the option of specifying "trusted introducers" (i.e. keys
signed by those are automatically considered valid by you), but you
don't have to.
To me it looks like the two "trust" concepts of GnuPG are somewhat
intermingled in this discussion:
- First, there's the "trust" in a UID which means that you trust the
assiciation betweed the key and the person identified by the UID. This
is usually expressed by signing the UID in question. Another term would
be "validity" of the key, IIRC.
- Second, there's the "owner trust" assigned to a key, meaning that you
trust that the key's owner, before signing other UIDs has made
reasonable checks to the "trust" defined above. Default for this kind of
trust is AFAIK "none", and you may manually set it to "marginal" or
"full". You can then configure GnuPG to consider UIDs valid (i.e. you
yourself "trust" them according to the first definition) when a certain
number of "marginally" and/or "fully" trusted signatures already have
been made on that UID.
More information about the Gnupg-users