Expanding web-of-trust with subkey

Teemu Likonen tlikonen at iki.fi
Wed Feb 15 17:54:51 CET 2017

Didrik Nordström [2017-02-14 19:02:08-08] wrote:

> How do you handle key management? Let's say you just want to send a
> signed and encrypted email once to someone who announced their pubkey
> over https? What type of trust would you assign?

I don't personally know anybody who uses gpg. Even if I will meet
someone it's unlikely that signing keys will make me part of any web. So
web of trust is useless for me.

That makes things very simple, in a way. I use "trust-model direct" and
do some checking in web pages or check consistent use of signatures. If
the key seems ok I'll "--edit-key", type "trust" and assign marginal or
full trust for that key. That's it. And because I have no use for other
people's signatures I also have "keyserver-options import-clean" so my
keyring remains small.

When Debian 9 is released, with GnuPG 2.1, I'll try "trust-model
tofu+pgp" (trust on first use plus web of trust). It seems useful too.

/// Teemu Likonen   - .-..   <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20170215/779e15e8/attachment.sig>

More information about the Gnupg-users mailing list