How to find and verify a trust path?

Philip Jägenstedt philip at foolip.org
Mon Sep 16 17:45:27 CEST 2013 

On Mon, Sep 16, 2013 at 12:07 PM, Peter Lebbing <peter at digitalbrains.com> wrote:
> On 15/09/13 21:11, Philip Jägenstedt wrote:

>> In very concrete terms, how can I determine which keys I need to
>> import so that the GnuPG dist sig (4F25E3B6) has full validity?
>
> As far as I can see, there are two solutions:
> 1) Meet with the owner of the key, satisfy yourself that he or she is indeed the
> owner, and sign the key.

That would nice, yeah.

> 2) In the list of signatures on the key, look for someone you know and at least
> marginally trust to do proper verification of key ownership. You then assign
> this key a certain amount of ownertrust, plus you need to make this key itself
> valid. To make it valid, follow this process again: either meet up with this
> person, or look for a signature on their key by someone you know.
>
> There is a maximum depth to the second form of the solution. It can span no more
> than 5 hops from your own key by default (max-cert-depth).

Right, I want to use the calculated validity, possibly with my own
values for --completes-needed, --marginals-needed and
--max-cert-depth. <http://www.gnupg.org/gph/en/manual.html#AEN385>
talks about this.

I've tried (in a testing keyring) to sign and trust marginally 3 keys
that have signed the GnuPG dist sig key, and it indeed results in full
validity for that sig. However, it's not possible to proceed deeper
than 1 step without assigning at least marginal trust in people I
haven't met. Since --update-trustdb *does* ask me for ownertrust of
the dist sig key in this scenario, I'm guessing that at least some
people are willing to do that, and I can certainly see myself
assigning marginal trust to some of these keys.

> I'm afraid there are no automated solutions[1] because ownertrust is something
> you decide, and the computer doesn't know who you know. The only "automated
> solution" is that you have the key for everyone you know and somewhat trust on
> your keyring: that way, GnuPG will immediately do the right thing, and compute
> validity for the downloaded key if it can be done.

What could certainly be automated is to find out if there are any
signature paths, but since no one has stepped up yet I'm guessing key
servers simply can't be queried for this information.
http://pgp.cs.uu.nl/ can help for keys in the strong set, but requires
a lot of manual work.

If there are no good tools, what have others done to verify that they
have a path to 4F25E3B6?

-- 
Philip Jägenstedt

More information about the Gnupg-users mailing list