How trust works in gpg...

David Shaw dshaw at
Tue Apr 15 20:04:26 CEST 2008

On Tue, Apr 15, 2008 at 12:21:43PM +0200, Michael Kesper wrote:
> Hi,
> On Tue, Apr 15, 2008 at 12:42:43AM +0200, Herbert Furting wrote:
> > On Mon, 2008-04-14 at 23:20 +0100, Peter Lewis wrote:
> > > Ah yes, thanks. So I have now set the owner-trust for his key to "full", but 
> > > still it says "unknown" for the other UIDs. So, I should manually set the 
> > > trust for keys / UIDs that I think I trust based on who has signed them?
> > Sorry,.. I haven't read your initial post correctly.
> > As David said in the meantime new UIDs are of course _not_ recognised
> > automatically (a user could simply add a completely wrong name). You
> > have to sign the UID (better said, key+UID).
> > You should only do so, if the name is the same (or if you know that the
> > key holder goes by that name).
> > 
> > If the new UID just contains a new email address, you should really
> > check if the keyholder "controlls" that email address.
> > You can do so, by sending him an encrypted challenge.
> I remember Werner saying that this was just nonsense.
> Werner, can you correct me if I'm wrong?

Not enough information above to say nonsense or not.  There are silly
ways to use challenges and non-silly ways.

The idea behind a challenge is to send something to the email address
in the UID and ask the recipient to sign it, and send it back.
Encryption is not involved here (you can encrypt it if you like, but
it doesn't make a difference either way).  You are verifying that the
email address on the key goes to some entity that has the ability to
actually use the key.


More information about the Gnupg-users mailing list