Web of Trust
dshaw at jabberwocky.com
Sun Apr 27 05:08:34 CEST 2008
On Apr 26, 2008, at 11:39 AM, Lukas Barth wrote:
> I have a question regarding the way GPG handles the way of trust.
> say i have four keys (A-D). Key A is my own one, so I trust it
> ultimately and it is valid by definition. I signed B with A and set
> ownertrust to "full". B signed C, and B trusts C only marginally. C
> signed D, so it's like:
> Now, since B is valid (I signed it) and I trust B fully C will be
> considered valid, too. But how about D? I can think of three
> 1) Since B is trusted fully, C is also trusted fully (after
> verifying it
> with B's signature), and so D is considered valid. This would be *bad*
> since B originally had only marginal trust in C, and I would now have
> full trust in C.
> 2) Since I did not assign an ownertrust to C myself, gpg does not
> C at all and so D is not valid. This would also be kind of bad since I
> would have to set a whole lot of ownertrusts for my PKI to be
> established. (For every key to be verified it would have to be
> signed by
> at least one key I manually set the ownertrust for)
> 3) B's trust in C is included in B's signature and so GPG knows that
> should trust C only marginally and searches for other signatures of C,
> until it are enough for C to be trusted. This would be great!
> Which way is implemented in GPG?
I think there is some confusion between "validity" and "trust" in the
above, so it is very difficult to understand what you are asking here.
Basically, in the 4-key universe above, A is valid (you), B is valid
(you signed it), C is valid (B signed it, B is valid, and has full
ownertrust). D is not valid because even though C signed it, C has no
I'm not sure what you are trying to get at with #3. It doesn't seem
to follow the problem statement of the 4-key universe. If there are
other keys in play here with other signatures, then you need to state
them in the problem.
More information about the Gnupg-users