How to find and verify a trust path?
peter at digitalbrains.com
Mon Sep 16 20:11:52 CEST 2013
On 16/09/13 17:45, Philip Jägenstedt wrote:
> However, it's not possible to proceed deeper than 1 step without assigning
> at least marginal trust in people I haven't met.
If you actually don't know these people, I'd say it would be unwise to assign
them trust. Why trust a stranger? However, it is not out of the question to
trust a person you haven't met, which is different from being aware who someone is.
> Since --update-trustdb *does* ask me for ownertrust of the dist sig key in
> this scenario, I'm guessing that at least some people are willing to do that
Well, I'm not going by what some people are willing to do, but the idea is that
you only assign trust for people you trust. Since you probably trust some people
whose keys you haven't signed, it makes sense to ask the trust question for keys
you haven't signed. Through signatures from trusted people, you can ascertain
that a key belongs to a person, you don't need to sign it yourself for that.
However, for that person to make other keys valid, you need to trust their
judgement. The trust question is exactly that: do you trust that this person
only signs keys he or she has properly verified?
> I'm guessing key servers simply can't be queried for this information.
I'm pretty sure they can't be directly queried for this information.
> If there are no good tools, what have others done to verify that they have a
> path to 4F25E3B6?
Most of them probably did nothing, since it's useless other than for statistical
fun. There is nothing to be gained from knowing one or more paths.
Any "attacker" doesn't need to do much effort to create so many paths to that
key it dwarves any other key by comparison. Is the validity of that key then
somehow increased, because it has so many paths?
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users