Verification via the web of trust

Paolo Bolzoni paolo.bolzoni.brown at
Wed Mar 23 17:49:47 CET 2016

There is a way to know how many "hops" are a key from anything I trust
and see the path?

On Tue, Mar 22, 2016 at 7:43 PM, Andrew Gallagher <andrewg at> wrote:
> On 22/03/16 18:30, Peter Lebbing wrote:
>> On 22/03/16 19:14, Andrew Gallagher wrote:
>>> All this is true. But this does not help *me* one iota.
>> It sounds to me like you're not looking for the Web of Trust, which is indeed
>> very limited in its options. Instead, you are probably looking for something
>> more like TOFU, in the sense that this developer whose signature you see is the
>> same one whose signature you saw last time.
> Only for a project with one developer! Otherwise, the person who signs
> it could legitimately change between releases. Large projects often have
> a separate release signing key, but not apache it seems...
> And at the risk of getting shot down (again), TOFU doesn't work. Not
> because TOFU is broken (it's a perfectly valid method), but because
> *people* are broken. How many times have you blithely clicked through an
> ssh "WARNING: the remote host key has changed!" prompt? ;-)
> A
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at

More information about the Gnupg-users mailing list