Managing the WoT with GPG

martin f krafft madduck at
Tue Jun 20 15:34:44 CEST 2017


I've spent some time trying to figure out how to make actual use of
the web-of-trust (the "pgp" trust-model), and I am turning to this
list for some advice, related to a couple of questions:

1. My public keyring has several thousand keys and "weighs" almost
   500Mb. Every couple of runs, I'm told to run --check-trustdb,
   which takes several minutes to complete, then tells me that the
   next run will be in like 2 weeks, but three operations later, I'm
   again being asked to run --check-trustdb. The funny thing is that
   these operations are just message signing and authentication,
   sometimes decryption. However, parcimonie is running in the
   background, updating the keyring one key at a time. Is that the
   reason? If yes, is there any way to mitigate this? I've sketched
   out an idea under (3.) below, but maybe there's another way…?

2. I've also tried running --update-trustdb, but it seems that this
   process is *endless*. I have no idea how many keys remain, and
   I also got the impression that I keep seeing keys I already
   processed. How do you approach this? Or does everyone just use
   tofu these days?

3. Is there a way to run --check-trustdb or --update-trustdb not
   over the entire key graph, but only traversing to a certain depth
   starting from a specific key? Then I could tell parcimonie to run
   --check-trustdb for every key it imports, or have mutt run
   --update-trustdb for every key I want to use. This would
   iteratively achieve the job with the benefit that no cycles would
   be wasted processing trust for keys I never use. I understand
   --edit-key can be used to change the ownertrust, but I don't
   think it recomputes the WoT on change, does it?

   If there's no way to do this yet, would this be a useful addition
   to the UI, assuming it's technically possible?

4. Is there a tool to visualise or explain the computed validity of
   a key? I.e. one saying that e.g. Werner's key is valid because
   Daniel signed it, and I fully trust Daniel? There's wotsap, but
   I want to analyse my own keyring, not a .wot file…

5. Has anyone come up with a smart way to keep pubring/trustdb
   synchronised between multiple workstations?

Thanks for any insights!

@martinkrafft | |
darwinism is nothing without enough dead bodies.
spamtraps: madduck.bogus at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: digital_signature_gpg.asc
Type: application/pgp-signature
Size: 1118 bytes
Desc: Digital GPG signature (see
URL: </pipermail/attachments/20170620/2aed2238/attachment.sig>

More information about the Gnupg-users mailing list