GPG key trust after a signing party
Óscar Pereira
burn.till.skid at gmail.com
Wed Feb 26 14:43:01 CET 2014
Hello all,
I've just stumbled across this question, on Security StackExchange,
but it has no satisfactory answers, so I'd thought to relay it here.
Basically, it asks whether after a GPG signing party, you still have
to assign trust values to all the key (or rather the keys' owners)
in order to have a meaning full web of trust. Finding myself asking
the same question, I quote the question:
« I might be totally misunderstanding the concept of web-of-trust,
but imagine the following scenario: I generate my key, then go to
a key signing party, and after, I import all the keys which
fingerprint I have verified, and sign those. Now, this will make
all those keys fully valid, but the default trust for each key
will still be set to the default, i.e. "unknown". Which means that
if I now import a new key, even if this new key has enough (*)
signatures from those, it still won't be considered valid, because
none of those keys is trusted.
Which means that for key signing parties to have some usefulness,
we must set those keys' trust to at least marginally trusted.
Right? Or am I making some mistake somewhere in my reasoning?
(*) - In GPG's default security model, i.e. one sig from a fully
trusted key, or 3 from marginally trusted keys.
»
http://security.stackexchange.com/questions/52102/gpg-key-trust-after-a-signing-party
Thanks for your help!
--
Óscar Pereira
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: </pipermail/attachments/20140226/ef0c306c/attachment.sig>
More information about the Gnupg-users
mailing list