How to find and verify a trust path?

Ingo Klöcker kloecker at
Wed Sep 18 23:40:30 CEST 2013

On Tuesday 17 September 2013 11:38:55 Peter Lebbing wrote:
> On 17/09/13 11:07, Peter Lebbing wrote:
> > > The independent paths need to be completely disjoint (except for
> > > start and end point) _and_ they all need to start with Philip's
> > > key.
> > 
> > AFAIK, there is no such requirement in the Web of Trust. I've never
> > heard of it.
> Euh... apart from the part where you said they need to start with
> Philip's key. I didn't trim the quote far enough :). I meant there is
> no requirement that the paths are independent.

True. There's no such requirement in the Web of Trust. But Philip's 
> > > > > How would an attacker create n independent paths without
> > > > > deceiving n people?
(which you snipped away in your reply) specifically requires the path to 
be independent. And that the n independent paths have to connect 
Philip's key and the key Philip wants to verify is an implicit 

Of course, the attacker could create n keys all with his correct name. 
Then nobody would have to be deceived because there's nothing wrong 
about those keys. But IMHO that's not a convincing answer because I 
wouldn't trust n paths all involving keys from the same person more than 
1 path involving a key of that person. Of course, if somebody blindly 
trusts gpg to do the right thing then he probably deserves to be 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130918/64e71b2a/attachment.sig>

More information about the Gnupg-users mailing list