Need help understanding the difference between assigning owner trust and key validity.
Joseph Oreste Bruni
jbruni at me.com
Sat Jun 13 08:55:05 CEST 2009
On Jun 12, 2009, at 11:24 PM, Steven W. Orr wrote:
> There's a pgp concept that I'm not comfortable with. It has to do
> with the
> difference between owner trust and key validity. And I say
> comfortable, not
> because I don't like it or that I don't think it doesn't work; I
> just don't
> feel like I understand it well enough to be doing it right.
> When I got your key, AND I know it came from you, then I set your
> key in my
> ring with owner trust of "trusted". But I didn't set the key
> validity. My
> understanding is that if I set your key validity then I'm signing my
> public key with your public key. (Someone please correct me if I'm
> way off.)
The difference between key validity and owner trust is in the object
of the trust.
If you trust the key, in that you have verified that the user ID
contained on the key does indeed belong to its holder, you indicate
your trust in the key by signing the key. Since your key is explicitly
set to ultimate owner trust, you will automatically consider any key
signed by you to be valid.
Owner trust is how you express confidence in the owner of the key to
validate other people's keys. If a key belongs to a person who is
sloppy about signing other keys, you would assign them a low owner
trust (or even none). On the other hand, if you know that someone is
very diligent about vetting keys, you could assign them a high owner
What does this do for you? Mostly, it's a time saver for yourself. If
you receive a 100 keys from various individuals, you could be diligent
in verifying each and every one of them before you sign those keys.
Once you sign a key, it is considered valid.
Otherwise, say 90% of those keys were already signed by someone you
know is diligent about verifying keys. If you assigned that person a
high owner trust, those 90 keys would be automatically considered
valid by you, and you'd only need to verify the remaining 10.
A marginal owner trust is for people that might do a good job of
verifying a key's UID. In which case you would consider valid any key
signed by three such individuals.
There are two types of signatures at this point: local and exportable.
If your signature on the key is local only, then your signature on the
key will not be exported should you choose to export the key to
another location (e.g. a keyserver). If your signature is exportable,
your signature will be appended to the key when you send that key
onward. If other people trust you to validate UID's by assigning a
high owner trust to your key, they will automatically consider valid
any such keys signed by your key.
In the X.509 certificate model, high owner trust is granted by you
implicitly when you hold a certificate authority's root certificate.
Any certificate signed by the chain of CA's that terminate at a
trusted root certificate is automatically trusted (valid).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2557 bytes
Desc: not available
More information about the Gnupg-users