How trust works in gpg...

David Shaw dshaw at
Tue Apr 15 19:32:17 CEST 2008

On Tue, Apr 15, 2008 at 09:37:45AM -0400, Mark H. Wood wrote:
> On Tue, Apr 15, 2008 at 01:23:01PM +0100, Peter Lewis wrote:
> > So I guess my question is: is this a guide for me, and then I should manually 
> > set the trust level on key F myself (if I am satisfied that the chains 
> > exist), or should gpg do this automatically for me based on the parameters in 
> > my gpg.conf? It doesn't seem to be calculating anything automatically at the 
> > moment.
> What it is meant to do I can't say, but I hope that it does *not*
> assign trust to others' keys automatically.

It does not.  When you sign a key, you make that key *valid*, which
just means "I believe this key does belong to the person it claims to
belong to".  When you set *trust* (aka "ownertrust") on that key, you
are saying "I believe the person who owns this key makes signatures
that I am willing to rely on".

> I may trust B's handling of his own keys, but not trust B's judgments
> about F's handling of *his* keys.  The safest thing for gpg to assume
> is that I assign no trust at all until I have instructed it
> otherwise.  B's signature on F's key is information that I might take
> into consideration, but I might (for example) decide merely to
> remember that datum and observe F's behavior for a while before
> trusting F's key.



More information about the Gnupg-users mailing list