Web of Trust in Practical Usage

Peter Lebbing peter at digitalbrains.com
Sun Apr 28 13:34:39 CEST 2013

I might be misinterpreting your request, because I can see two slightly
different interpretations and I'm going with only one of those! ;)

On 27/04/13 18:31, Quinn Wood wrote:
> However, gnupg does not recurse signatures on imported or updated keys[...]
> determining the most trusted (based on signature webs, hops, and/or other web
> of trust concepts) key

While signatures have a certain transitive quality (A signed B, B signed C,
there is a path from A to C), /ownertrust/ is not applied transitively[1]. This
means you'll still need to assign trust to a key introducing another key.

So if you're A, A signed B, B signed C, C signed D, you still need to assign
ownertrust to C /yourself/ to get D valid, and this has nothing to do with
ownertrust you assign to B.

So while tools like PGP Pathfinder can find signature paths, it doesn't really
help for validity, which needs ownertrust of a direct parent of the key you want
validated. There are no ownertrust paths.

Suppose you are downloading key D from a keyserver, and some tool decides there
is a path from A to D and it needs key C for that. If C is not already in your
keyring, it could download C for you. Superficially, this would seem to help
establish trust in D. But what good does it really do? Because you'll need to
assign ownertrust to C, and if you don't know C, how can you trust him or her?
And if you know C, why isn't he or she in your keyring already?[2]

I am most definitely not saying your request isn't a good one. Neither am I
saying there isn't a beatiful, elegant solution. Because I don't have enough
grasp of the material myself, and I might miss a lot. I'm also personally very
interested in tools to (meaningfully) expand the number of valid keys in my
keyring, which is why I was thinking about the exact same thing as you, but in
that line of thought I encountered the obstacles I just described.

So yay for more meaningfully valid keys on my keyring. I just don't see how :).



[1] I'm leaving trust signatures out of the picture, as they're uncommon in the WoT.

[2] If C was in your keyring already and you assigned ownertrust, the newly
imported D would immediately get some validity, so there's no extra tool needed.

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list