Aspects of trust
Kerrick Staley
mail at kerrickstaley.com
Tue Jun 14 19:16:31 CEST 2011
This is to confirm my understanding of an important aspect of the way
GnuPG works:
When you decide whether to trust a signature, there are two questions
that must be asked:
a) Does the key used to make this signature really belong to the
person named in the certificates's UID?
b) Given that the key is valid, is the person trustworthy?
GnuPG and the web-of-trust concept only manage information related to
the first question. GnuPG provides no means of encoding or storing the
fact that a person is or is not trustworthy; it merely displays the
UID when verifying a signature, and the user is left to decide whether
the person should be trusted.
Am I correct in this?
Thanks,
Kerrick Staley
More information about the Gnupg-users
mailing list