hashed user IDs [was: Re: Security of the gpg private keyring?]

Vlad "SATtva" Miller sattva at pgpru.com
Mon Mar 14 15:36:11 CET 2011

>> Trust is not transitive.  If A trusts B and B trusts C,
>> there is no requirement that A trusts C.
> In real life, true. But what about the GnuPG default of trusting a key
> that carries certifications from 1 fully trusted or 3 marginally
> trusted keys. Unless you manually inspect each trust path, how would
> you spot unknown keys from past real-life associates you distrusted?

You're mixing concepts. Trusting someone to vouch for others' keys
validity in *not* the same as believing someone else's key is valid. I
think, what Robert meant (and feel free to correct if I'm off here) is
he wouldn't trust certifications from that "ex-CEO Ben", but there's
nothing wrong really if one or several persons whom Robert trusts
certify "Ben's" key.

In GnuPG, you assign trust levels manually. In turn, GnuPG computes
validity automatically. Trust doesn't gets transferred from one key to
another. Validity does (in a sense).

Vlad "SATtva" Miller
3d viz | security & privacy consulting
www.vladmiller.info | www.pgpru.com

More information about the Gnupg-users mailing list