Web of Trust

Lukas Barth tinloaf at goerresonline.de
Sat Apr 26 17:39:14 CEST 2008

Hash: SHA1


I have a question regarding the way GPG handles the way of trust. Let's
say i have four keys (A-D). Key A is my own one, so I trust it
ultimately and it is valid by definition. I signed B with A and set B's
ownertrust to "full". B signed C, and B trusts C only marginally. C
signed D, so it's like:


Now, since B is valid (I signed it) and I trust B fully C will be
considered valid, too. But how about D? I can think of three possibilities:

1) Since B is trusted fully, C is also trusted fully (after verifying it
with B's signature), and so D is considered valid. This would be *bad*
since B originally had only marginal trust in C, and I would now have
full trust in C.

2) Since I did not assign an ownertrust to C myself, gpg does not trust
C at all and so D is not valid. This would also be kind of bad since I
would have to set a whole lot of ownertrusts for my PKI to be
established. (For every key to be verified it would have to be signed by
at least one key I manually set the ownertrust for)

3) B's trust in C is included in B's signature and so GPG knows that it
should trust C only marginally and searches for other signatures of C,
until it are enough for C to be trusted. This would be great!

Which way is implemented in GPG?

Kind regards,

Lukas Barth
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Gnupg-users mailing list