Managing the WoT with GPG
Neal H. Walfield
neal at walfield.org
Wed Jun 21 11:53:49 CEST 2017
At Tue, 20 Jun 2017 15:34:44 +0200,
martin f krafft wrote:
> I've spent some time trying to figure out how to make actual use of
> the web-of-trust (the "pgp" trust-model), and I am turning to this
> list for some advice, related to a couple of questions:
> 1. My public keyring has several thousand keys and "weighs" almost
> 500Mb. Every couple of runs, I'm told to run --check-trustdb,
> which takes several minutes to complete, then tells me that the
> next run will be in like 2 weeks, but three operations later, I'm
> again being asked to run --check-trustdb. The funny thing is that
> these operations are just message signing and authentication,
> sometimes decryption. However, parcimonie is running in the
> background, updating the keyring one key at a time. Is that the
> reason? If yes, is there any way to mitigate this? I've sketched
> out an idea under (3.) below, but maybe there's another way…?
You figured it out: whenever your keyring is updated, 'gpg
--check-trustdb' needs to be run. This is normally done on demand,
which is annoying for even moderately sized keyrings. You can disable
this behavior by setting no-auto-check-trustdb in your gpg.conf file.
In that case, you'll want to run 'gpg --check-trustdb' periodically to
integrate new keys, expiry information, revocations, etc. You can do
this in the background via e.g. a cron job.
> 2. I've also tried running --update-trustdb, but it seems that this
> process is *endless*. I have no idea how many keys remain, and
> I also got the impression that I keep seeing keys I already
> processed. How do you approach this? Or does everyone just use
> tofu these days?
Since I don't trust most people to sign keys correctly, I just invoke
'gpg --edit-key' (and use the trust subcommand) on the specific keys
that I want to have as trusted introducers.
> 3. Is there a way to run --check-trustdb or --update-trustdb not
> over the entire key graph, but only traversing to a certain depth
> starting from a specific key? Then I could tell parcimonie to run
> --check-trustdb for every key it imports, or have mutt run
> --update-trustdb for every key I want to use. This would
> iteratively achieve the job with the benefit that no cycles would
> be wasted processing trust for keys I never use. I understand
> --edit-key can be used to change the ownertrust, but I don't
> think it recomputes the WoT on change, does it?
> If there's no way to do this yet, would this be a useful addition
> to the UI, assuming it's technically possible?
This isn't easy given the current implementation: GnuPG doesn't store
the graph, but traverses the graph and only saves whether a particular
key is trusted.
> 4. Is there a tool to visualise or explain the computed validity of
> a key? I.e. one saying that e.g. Werner's key is valid because
> Daniel signed it, and I fully trust Daniel? There's wotsap, but
> I want to analyse my own keyring, not a .wot file…
See my answer to #3: this is not currently possible.
> 5. Has anyone come up with a smart way to keep pubring/trustdb
> synchronised between multiple workstations?
This is a pain. Something along the lines of the following should
gpg --export | ssh host gpg --import
More information about the Gnupg-users