improving validity calculation: external program

Hauke Laging mailinglisten at
Mon May 5 07:05:51 CEST 2014


from time to time when changes to GnuPG's behaviour (about validity and 
trust) are suggested, Werner responds kind of: "No, that should be done 
on top of GnuPG." This attitude makes sense but in the current situation 
I would ask: How? How shall that be done on top of GnuPG without causing 
a huge mess of adaption need in the higher layer applications?

Thus I would like to suggest that – similar to gpg-agent's option 
"pinentry-program" – an option is added which disables gpg's internal 
handling of --check-trustdb / --update-trustdb and has the configured 
external program be called for that. This would more or less be a 
modified version of --import-ownertrust.

This way it would become easy to test and offer other validity 
calculation strategies. Simple cases:

a) The WoT could be easily disabled for newbies by configuring a 
validity calculator which ignores it.

b) Ignore level 0 certifications.

Less simple case:
a) The calculator could be configured to treat different keys as one 
(because the owner is the same); we recently discussed this need.

I don't want to distract you from the general idea by offering 
complicated suggestions which will never even come close to concensus... 

A nice extension would be to define an output format (or database format 
for gpg to read the data from) so that

a) this calculator can show for each certification if and how much it 
contributes to the validity of another key (or: UID); IIRC this is 
currently not possible

b) levels for security and authenticity could be added. Today we have 
"valid" and "invalid". But the real world is not a dichotomy: Different 
kinds of information have different requirements for both security and 
authenticity (or the combination of both). We must map this spectrum to 
key selection somehow (or at least create the possibility for others to 
easily do so). 

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140505/989c66db/attachment-0001.sig>

More information about the Gnupg-users mailing list