Understanding --status-fd output

Mike Acker Mike_Acker at charter.net
Sun Aug 28 15:29:26 CEST 2011


On 14:59, Ben Harris wrote:
> As far as I can tell, GOODSIG corresponds to steps 1 and 2 above -- it
> indicates that we've found a key in the keyring and the signature
> matches it.  TRUST_* corresponds to step 3, and obviously it's my job
> to deal with step 4.  The problem I've got is to understand how the
> UID in GOODSIG relates to the trust in TRUST_*.  As far as I can tell
> from my testing, GOODSIG always includes the primary UID of the key,
> but TRUST_* reflects the trust in the most trusted UID.
>
> In consequence, I can't from parsing the --status-fd output work out
> what valid UID is associated with a signature.  I can only tell that
> the key in question has _a_ valid UID.  Is this correct?  So if I want
> to know which of the UIDs on the key are trusted, I have to resort to
> --list-keys --with-colons or similar? 
there are definitely some confusing terms in play here

from using GPG4WIN I note: a signature may be marked:

    valid|not valid
    Trusted|not Trusted

from my observations: "vaid" should really read "recognized"

the signature is "recognized" IF:

    I signed it
    someone whose key i have marked fully trusted signed it
    two or more parties i have marked marginally trusted have signed it

"Trust" or "owner trust" refers to whether I trust the owner of a key
sent to me.  this trust can be

    ultimate ( I only trust myself "ultimately" )
    full: I trust this party to thoroughly vet any keys he signs
    marginal: I'm not sure about this guy; he's probably OK
    unknown: I havn't got a clue

Clearly: you cannot establish a Trust Model in a large population which
is the fundamental error made in x.509

IN ADDITION: you will note that on an x.509 certificate there is a
second trust flag: for software. This is CRITICAL to the security of
Authenticode which is used for software updates

Good post!!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110828/04e86ffe/attachment.htm>


More information about the Gnupg-users mailing list