Aspects of trust

Robert J. Hansen rjh at
Tue Jun 14 20:35:30 CEST 2011

On Tue, 14 Jun 2011 12:16:31 -0500, Kerrick Staley
<mail at>
> a) Does the key used to make this signature really belong to the
> person named in the certificates's UID?
> b) Given that the key is valid, is the person trustworthy?

These are the two Big Questions, yes: "do I have the correct certificate?"
and, "do I trust the issuer?"  You have these two questions correct.

> GnuPG provides no means of encoding or storing the
> fact that a person is or is not trustworthy

Kind of.  You can certainly do things with different signature classes to
denote distrust, but few people do this.  You can also set a certificate's
trust to "I do NOT trust," IIRC -- it's been some years since I've needed
to do that.

>From a pedantic standpoint, GnuPG offers some tools you can use to state
"I do not find this certificate issuer trustworthy."

>From a practical standpoint, those tools are hardly ever used, so you're
basically correct.

More information about the Gnupg-users mailing list