trust your corporation for keyowner identification?

Peter Lebbing peter at digitalbrains.com
Thu Nov 7 19:21:28 CET 2013


On 2013-11-07 17:09, Leo Gaspard wrote:
> If I understood correctly, the depth parameter you are talking about
> is useless, except in case there are trust signature. And you agreed 
> with me for
> them to be taken out of the equation.

Of course it's not useless. You seem to misunderstand the Web of Trust.

I'll give an example.

I know and trust the people A, B, C, D and E. A has signed B, B has 
signed C, C has signed D, D has signed E, and E has signed F. I meet up 
with A, verify their identity, and sign their key. I assign ownertrust 
to A, B, C, D and E. Et voilà, the keys A, B, C, D and E are all valid, 
without me needing to meet up with my other friends to verify their key 
details. A is at level 1, B at 2, C at 3, D at 4, and E at 5. 
Unfortunately, F won't get valid because it is at level 6.

Now suppose C signs F as well. F is now at level 4, so it becomes 
valid. However, I don't trust F, so even if F now signs G, G won't 
become valid.

Signatures indicate verification, not trust or belief. Trust is in your 
trust database or in trust signatures, but the latter are not commonly 
used. Belief is expressed in validity calculated from your trust 
database and signatures. I don't know if you can choose to disagree with 
GnuPG, that is, if you don't believe a key is valid even though GnuPG 
calculated that it is.

I could get back to all the other points you raise, but I think it's a 
waste of time when you have reasoned from the standpoint that to get a 
key to be valid, you need to sign it, and that is how it looks to me.

It's not much of a Web when you don't have any depth... it's more of 
two intertwined strands then ;).

HTH,

Peter.

PS: My ownertrust for E is useless for now, because he/she is at level 
5. However, if I get a shorter path to him or her later, it will become 
useful then.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 
<http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list