How trust works in gpg...
dshaw at jabberwocky.com
Fri Apr 25 15:11:55 CEST 2008
On Apr 25, 2008, at 3:57 AM, Werner Koch wrote:
> On Thu, 24 Apr 2008 21:12, dshaw at jabberwocky.com said:
>> not how the OpenPGP trust system works. The person who gets to
>> if a key+uid should be signed is the person who makes the signature.
> Nitpicking: It is not the OpenPGP trust system, but the way almost all
> OpenPGP applications are used (basically Web of Trust). OpenPGP is
> a framework and you may implement any trust system on top of it; using
> the mechanisms provided by OpenPGP.
> I have to mention this because many people believe OpenPGP demands the
> WoT and exclude OpenPGP from further inspection when searching for a
> specialized PKI.
Absolutely. At one point there was talk about putting together an RFC
for a defined OpenPGP trust system (essentially documenting what we
have now), but there didn't seem to be much interest in it.
A significant use of OpenPGP is without the WoT at all.
More information about the Gnupg-users