How trust works in gpg...

David Shaw dshaw at
Fri Apr 25 15:11:55 CEST 2008

On Apr 25, 2008, at 3:57 AM, Werner Koch wrote:

> On Thu, 24 Apr 2008 21:12, dshaw at said:
>> not how the OpenPGP trust system works.  The person who gets to  
>> decide
>> if a key+uid should be signed is the person who makes the signature.
> Nitpicking: It is not the OpenPGP trust system, but the way almost all
> OpenPGP applications are used (basically Web of Trust).  OpenPGP is  
> just
> a framework and you may implement any trust system on top of it; using
> the mechanisms provided by OpenPGP.
> I have to mention this because many people believe OpenPGP demands the
> WoT and exclude OpenPGP from further inspection when searching for a
> specialized PKI.

Absolutely.  At one point there was talk about putting together an RFC  
for a defined OpenPGP trust system (essentially documenting what we  
have now), but there didn't seem to be much interest in it.

A significant use of OpenPGP is without the WoT at all.


More information about the Gnupg-users mailing list