Managing the WoT with GPG
martin f krafft
madduck at madduck.net
Tue Jun 20 15:34:44 CEST 2017
I've spent some time trying to figure out how to make actual use of
the web-of-trust (the "pgp" trust-model), and I am turning to this
list for some advice, related to a couple of questions:
1. My public keyring has several thousand keys and "weighs" almost
500Mb. Every couple of runs, I'm told to run --check-trustdb,
which takes several minutes to complete, then tells me that the
next run will be in like 2 weeks, but three operations later, I'm
again being asked to run --check-trustdb. The funny thing is that
these operations are just message signing and authentication,
sometimes decryption. However, parcimonie is running in the
background, updating the keyring one key at a time. Is that the
reason? If yes, is there any way to mitigate this? I've sketched
out an idea under (3.) below, but maybe there's another way…?
2. I've also tried running --update-trustdb, but it seems that this
process is *endless*. I have no idea how many keys remain, and
I also got the impression that I keep seeing keys I already
processed. How do you approach this? Or does everyone just use
tofu these days?
3. Is there a way to run --check-trustdb or --update-trustdb not
over the entire key graph, but only traversing to a certain depth
starting from a specific key? Then I could tell parcimonie to run
--check-trustdb for every key it imports, or have mutt run
--update-trustdb for every key I want to use. This would
iteratively achieve the job with the benefit that no cycles would
be wasted processing trust for keys I never use. I understand
--edit-key can be used to change the ownertrust, but I don't
think it recomputes the WoT on change, does it?
If there's no way to do this yet, would this be a useful addition
to the UI, assuming it's technically possible?
4. Is there a tool to visualise or explain the computed validity of
a key? I.e. one saying that e.g. Werner's key is valid because
Daniel signed it, and I fully trust Daniel? There's wotsap, but
I want to analyse my own keyring, not a .wot file…
5. Has anyone come up with a smart way to keep pubring/trustdb
synchronised between multiple workstations?
Thanks for any insights!
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
darwinism is nothing without enough dead bodies.
spamtraps: madduck.bogus at madduck.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1118 bytes
Desc: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
More information about the Gnupg-users