Understanding --status-fd output
Mike Acker
Mike_Acker at charter.net
Sun Aug 28 15:29:26 CEST 2011
On 14:59, Ben Harris wrote:
> As far as I can tell, GOODSIG corresponds to steps 1 and 2 above -- it
> indicates that we've found a key in the keyring and the signature
> matches it. TRUST_* corresponds to step 3, and obviously it's my job
> to deal with step 4. The problem I've got is to understand how the
> UID in GOODSIG relates to the trust in TRUST_*. As far as I can tell
> from my testing, GOODSIG always includes the primary UID of the key,
> but TRUST_* reflects the trust in the most trusted UID.
>
> In consequence, I can't from parsing the --status-fd output work out
> what valid UID is associated with a signature. I can only tell that
> the key in question has _a_ valid UID. Is this correct? So if I want
> to know which of the UIDs on the key are trusted, I have to resort to
> --list-keys --with-colons or similar?
there are definitely some confusing terms in play here
from using GPG4WIN I note: a signature may be marked:
valid|not valid
Trusted|not Trusted
from my observations: "vaid" should really read "recognized"
the signature is "recognized" IF:
I signed it
someone whose key i have marked fully trusted signed it
two or more parties i have marked marginally trusted have signed it
"Trust" or "owner trust" refers to whether I trust the owner of a key
sent to me. this trust can be
ultimate ( I only trust myself "ultimately" )
full: I trust this party to thoroughly vet any keys he signs
marginal: I'm not sure about this guy; he's probably OK
unknown: I havn't got a clue
Clearly: you cannot establish a Trust Model in a large population which
is the fundamental error made in x.509
IN ADDITION: you will note that on an x.509 certificate there is a
second trust flag: for software. This is CRITICAL to the security of
Authenticode which is used for software updates
Good post!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110828/04e86ffe/attachment.htm>
More information about the Gnupg-users
mailing list