How to find and verify a trust path?

Peter Lebbing peter at digitalbrains.com
Mon Sep 16 12:07:32 CEST 2013


On 15/09/13 21:11, Philip Jägenstedt wrote:
> In very concrete terms, how can I determine which keys I need to
> import so that the GnuPG dist sig (4F25E3B6) has full validity?

There are two ways to answer this. One:

Did you read my post from April I linked to? I know it sounds like
self-promotion, but it's just to avoid repeating myself too much.I think you
misunderstand what makes a key valid. In order for it to be valid, it needs to
be signed by one or more valid keys that you have assigned some ownertrust.
Signatures themselves can chain, but ownertrust does not. You cannot make a key
valid by downloading other keys. It can only become valid by being directly
signed by people (keys) you trust.

The second answer:

> In very concrete terms, how can I determine which keys I need to
> import so that the GnuPG dist sig (4F25E3B6) has full validity?

As far as I can see, there are two solutions:
1) Meet with the owner of the key, satisfy yourself that he or she is indeed the
owner, and sign the key.
2) In the list of signatures on the key, look for someone you know and at least
marginally trust to do proper verification of key ownership. You then assign
this key a certain amount of ownertrust, plus you need to make this key itself
valid. To make it valid, follow this process again: either meet up with this
person, or look for a signature on their key by someone you know.

There is a maximum depth to the second form of the solution. It can span no more
than 5 hops from your own key by default (max-cert-depth).

I'm afraid there are no automated solutions[1] because ownertrust is something
you decide, and the computer doesn't know who you know. The only "automated
solution" is that you have the key for everyone you know and somewhat trust on
your keyring: that way, GnuPG will immediately do the right thing, and compute
validity for the downloaded key if it can be done.

HTH,

Peter.

[1] Again, I don't take trust signatures into account because they are no part
of the normal Web of Trust.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list