How to check the trust level
David Shaw
dshaw at jabberwocky.com
Sun Nov 22 03:07:59 CET 2009
On Nov 21, 2009, at 6:47 PM, markus reichelt wrote:
> * David Shaw <dshaw at jabberwocky.com> wrote:
>
>> If you mean the signature verification level, then it is visible in
>> the --list-sigs output - 3 for "positive" verification, 2 for
>> "casual" verification, and 1 for "persona" (aka didn't check)
>> verification. If none of these numbers appear, it's a "generic"
>> verification.
>
> (Just to contribute to the confusion:)
>
> That's according to the spec, but there are quite a few people out
> there who do not honour the spec (for whatever reasons - not relevant
> here) and have their own definition of sig levels (usually published
> in their signing policy).
The spec disclaims any knowledge of the levels and leaves it up to the
individual person to decide within some (very rough) guidelines. This
is both a good and bad thing :)
It's very possible that Alice's "casual" is stronger than Baker's
"positive".
> To sum it up, these days levels 0,2,3 are fine. 1s are a bit strange
> and quite rare - I'd inquire about that kinda sig level.
#1 is very rare, since it essentially means that someone didn't check
at all. GPG actually ignores level 1 signatures by default, so that
makes them even more rare - there is little point in making one since
GPG won't even see it.
David
More information about the Gnupg-users
mailing list