Verification via the web of trust

Peter Lebbing peter at digitalbrains.com
Tue Mar 22 18:11:51 CET 2016


On 22/03/16 13:21, Lachlan Gunn wrote:
> All the pathfinders I've seen have been full-on HTML websites, is there
> anything out there more suitable for scripting?

This doesn't help you one iota. The simple reason: trust is not
transitive. If you want key A, which is 4 hops away from you, to become
valid, you need to trust a key B that has signed it. So either you see
among the people who signed key A someone you trust, or you don't. I'm
pretty sure you would recognise the name of someone you trust.

If you do see a name you recognise, key B, and who you trust, the task
simply transfers from A to this B. Only if, on every hop along the path,
there are people you recognise and trust, can you actually get valid
keys that are several hops away.

That trust is not transitive is not some quirk of the web of trust: it
is fundamental. I might trust Carl, and Carl might trust Jenny, but if I
don't know Jenny, I would not trust her, despite the fact that I trust
someone who trusts her. Trust is personal and direct, not transitive.

There is one exception: when you trust someone so much that you'd
delegate the issue of trust to them. This is usually only done in
specific, small communities and employer-employee relations, and is a
"trust signature". They are hardly ever used. Note that the trust might
be more built into the relationship than that you actually do trust your
employer... ;)

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list