GPG key trust after a signing party

Óscar Pereira burn.till.skid at gmail.com
Wed Feb 26 14:43:01 CET 2014


Hello all,

I've just stumbled across this question, on Security StackExchange,
but it has no satisfactory answers, so I'd thought to relay it here.
Basically, it asks whether after a GPG signing party, you still have
to assign trust values to all the key (or rather the keys' owners)
in order to have a meaning full web of trust. Finding myself asking
the same question, I quote the question:

« I might be totally misunderstanding the concept of web-of-trust,
  but imagine the following scenario: I generate my key, then go to
  a key signing party, and after, I import all the keys which
  fingerprint I have verified, and sign those. Now, this will make
  all those keys fully valid, but the default trust for each key
  will still be set to the default, i.e. "unknown". Which means that
  if I now import a new key, even if this new key has enough (*)
  signatures from those, it still won't be considered valid, because
  none of those keys is trusted.
  
  Which means that for key signing parties to have some usefulness,
  we must set those keys' trust to at least marginally trusted.
  Right? Or am I making some mistake somewhere in my reasoning?
  
  (*) - In GPG's default security model, i.e. one sig from a fully
  trusted key, or 3 from marginally trusted keys.
»

http://security.stackexchange.com/questions/52102/gpg-key-trust-after-a-signing-party

Thanks for your help!

-- 
Óscar Pereira
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: </pipermail/attachments/20140226/ef0c306c/attachment.sig>


More information about the Gnupg-users mailing list