How trust works in gpg...

Peter Lewis prlewis at letterboxes.org
Tue Apr 15 17:09:51 CEST 2008 

On Tuesday 15 April 2008 at 15:05:45 Sven Radde wrote:
> Signing a new UID with the same key that was used to sign another UID
> proves that the same person that created the first UID created the
> second one.
> It does not prove that the person controls (or, is identified by) the
> second UID.
>
> As I said before: If you trust my key, I could simply add "Stan Tobias
> <sttob at mailshack.com>" as UID to my key.
> If this new UID was trusted immediately, you would use *my* key to
> encrypt emails intended to go to Stan..!
>
> The crucial thing is connecting the person identified by a UID with a
> private key.
> This is what is meant by "trust" in a UID and in OpenPGP, this trust is
> expressed by signing the UID with your key.

Right, that makes sense now.

Thanks everyone for the help - I think I was rather confused about the 
differences and connections between "validity", "trust" and "ownertrust":

On Tuesday 15 April 2008 at 15:56:59 Sven Radde wrote:
> To me it looks like the two "trust" concepts of GnuPG are somewhat
> intermingled in this discussion:
> - First, there's the "trust" in a UID which means that you trust the
> assiciation betweed the key and the person identified by the UID. This
> is usually expressed by signing the UID in question. Another term would
> be "validity" of the key, IIRC.
> - Second, there's the "owner trust" assigned to a key, meaning that you
> trust that the key's owner, before signing other UIDs has made
> reasonable checks to the "trust" defined above. Default for this kind of
> trust is AFAIK "none", and you may manually set it to "marginal" or
> "full". You can then configure GnuPG to consider UIDs valid (i.e. you
> yourself "trust" them according to the first definition) when a certain
> number of "marginally" and/or "fully" trusted signatures already have
> been made on that UID.

Yes, that's what I now understand :-)

Please excuse one final question: I have signed keys with one person (A), whom 
I trust fully, and he has signed keys with another person (B), whom I know, 
but with whom I have not signed keys. B's key is (correctly) showing as 
*valid*. Should I still wait until I can check his identity using the 
photo-id and fingerprint, or is this now good enough for me to sign B's key?

I wouldn't have thought so, but I just want to make sure I'm absolutely clear 
about this stuff.

Thanks again,

Pete.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20080415/4b072345/attachment.pgp>

More information about the Gnupg-users mailing list