determine the source(s) of validity

Hauke Laging mailinglisten at
Sun Dec 8 22:11:25 CET 2013


I want to find out what makes a key valid (and with which certification 
level): a certification by one of the systems keys or one or more 
certifications from the WoT. I think that it is important that applications 
show this information in key selection dialogs.

IIRC this has been discussed here a while ago and there is no way to get this 
information from GnuPG. I would like to know whether there is already software 
available which does this; no need to reinvent the wheel.

If there isn't any I would do this (but maybe there is a better approach):

1) Find all keys which have ultimate trust. BTW: I noticed that a key becomes 
invalid if its certifying key expires and has complete trust. But if it has 
ultimate trust then the expiration does not make the certification invalid. Is 
this intentional?

2) Import all these keys plus the key to be checked (with import-clean) into a 
new keyring (with a separate trustdb).

3) If (the key was valid in the normal keyring and) the key is not valid in 
the check keyring then it is validated via the WoT. Otherwise I can look for 
the signature with the highest certification level (I am interested in this 

Another, related question:
I was surprised to read the recommendation to create a local certification for 
keys which have been validated via the WoT. But the one who wrote that seems 
extremely competent to me with respect to OpenPGP. Is there a general 
concensus on that? What are your opinions?

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20131208/c30fac81/attachment.sig>

More information about the Gnupg-users mailing list