Verification via the web of trust

Peter Lebbing peter at
Tue Mar 22 19:30:15 CET 2016

On 22/03/16 19:14, Andrew Gallagher wrote:
> All this is true. But this does not help *me* one iota.

It sounds to me like you're not looking for the Web of Trust, which is indeed
very limited in its options. Instead, you are probably looking for something
more like TOFU, in the sense that this developer whose signature you see is the
same one whose signature you saw last time.

Or maybe a radically different other trust model. Quite likely one which hasn't
actually been implemented. It's still the same though: the OP talked about the
Web of Trust, so my answer was about the Web of Trust. That the Web of Trust is
not what you are looking for is a completely different issue.

> Even importing the entire Debian keyring and setting them all to marginal
> trust (I'm already trusting them to write my OS, so why not?)

Exactly! Well observed. I've said it before as well, a nefarious person holding
the private key of a Debian Developer can do much more interesting stuff than
introduce false signatures in the Web of Trust, so you might as well trust them
on that too. That is, as always, depending on your threat model. But I'd wager
that it's compatible with a lot of threat models, since Debian developers can
pretty much execute code as root on your machine.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list