Aspects of trust

Kerrick Staley mail at
Tue Jun 14 19:16:31 CEST 2011

This is to confirm my understanding of an important aspect of the way
GnuPG works:

When you decide whether to trust a signature, there are two questions
that must be asked:
a) Does the key used to make this signature really belong to the
person named in the certificates's UID?
b) Given that the key is valid, is the person trustworthy?
GnuPG and the web-of-trust concept only manage information related to
the first question. GnuPG provides no means of encoding or storing the
fact that a person is or is not trustworthy; it merely displays the
UID when verifying a signature, and the user is left to decide whether
the person should be trusted.

Am I correct in this?

Kerrick Staley

More information about the Gnupg-users mailing list