Aspects of trust
Robert J. Hansen
rjh at sixdemonbag.org
Tue Jun 14 20:35:30 CEST 2011
On Tue, 14 Jun 2011 12:16:31 -0500, Kerrick Staley
<mail at kerrickstaley.com>
wrote:
> a) Does the key used to make this signature really belong to the
> person named in the certificates's UID?
> b) Given that the key is valid, is the person trustworthy?
These are the two Big Questions, yes: "do I have the correct certificate?"
and, "do I trust the issuer?" You have these two questions correct.
> GnuPG provides no means of encoding or storing the
> fact that a person is or is not trustworthy
Kind of. You can certainly do things with different signature classes to
denote distrust, but few people do this. You can also set a certificate's
trust to "I do NOT trust," IIRC -- it's been some years since I've needed
to do that.
>From a pedantic standpoint, GnuPG offers some tools you can use to state
"I do not find this certificate issuer trustworthy."
>From a practical standpoint, those tools are hardly ever used, so you're
basically correct.
More information about the Gnupg-users
mailing list