GPG key trust after a signing party

David Shaw dshaw at jabberwocky.com
Wed Feb 26 18:01:21 CET 2014


On Feb 26, 2014, at 8:43 AM, Óscar Pereira <burn.till.skid at gmail.com> wrote:

> Hello all,
> 
> I've just stumbled across this question, on Security StackExchange,
> but it has no satisfactory answers, so I'd thought to relay it here.
> Basically, it asks whether after a GPG signing party, you still have
> to assign trust values to all the key (or rather the keys' owners)
> in order to have a meaning full web of trust. Finding myself asking
> the same question, I quote the question:
> 
> « I might be totally misunderstanding the concept of web-of-trust,
>  but imagine the following scenario: I generate my key, then go to
>  a key signing party, and after, I import all the keys which
>  fingerprint I have verified, and sign those. Now, this will make
>  all those keys fully valid, but the default trust for each key
>  will still be set to the default, i.e. "unknown". Which means that
>  if I now import a new key, even if this new key has enough (*)
>  signatures from those, it still won't be considered valid, because
>  none of those keys is trusted.

A (slightly) simplified way to think of it is:

  1) You sign someone's key to say "I assert that this key belongs to the person identified".
  2) You assign trust to someone's key to say "I believe this person is responsible enough to do number 1 well".

#1 is a public statement from you (your key) to the world.  #2 is a private note in your own GPG setup.

The two don't necessarily go together.  If you think someone makes terrible signatures (for example, doesn't check sufficiently before signing), then you may still sign their key (after all, you're not making a statement as to their reliability, just as to their identity), but you probably wouldn't want to assign trust to their key.  In other words, you believe their key belongs to them, but you don't "trust" them to make good signatures on other people's keys.

At a keysigning party, it's quite common to be able to sign someone's key (you check some ID, verify their email address works via a cookie, and so on), but yet have no idea if the person is worth trusting to sign someone else's key.  After all, in many cases, you've never even met them before.

David

p.s. There are variations here like the trust signature that combines both identity and trust into a single statement, and the local signature which is like a regular signature but not a public statement, but in the context of a keysigning party, they're much less common.




More information about the Gnupg-users mailing list