Managing the WoT with GPG

Neal H. Walfield neal at
Wed Jun 21 11:53:49 CEST 2017


At Tue, 20 Jun 2017 15:34:44 +0200,
martin f krafft wrote:
> I've spent some time trying to figure out how to make actual use of
> the web-of-trust (the "pgp" trust-model), and I am turning to this
> list for some advice, related to a couple of questions:
> 1. My public keyring has several thousand keys and "weighs" almost
>    500Mb. Every couple of runs, I'm told to run --check-trustdb,
>    which takes several minutes to complete, then tells me that the
>    next run will be in like 2 weeks, but three operations later, I'm
>    again being asked to run --check-trustdb. The funny thing is that
>    these operations are just message signing and authentication,
>    sometimes decryption. However, parcimonie is running in the
>    background, updating the keyring one key at a time. Is that the
>    reason? If yes, is there any way to mitigate this? I've sketched
>    out an idea under (3.) below, but maybe there's another way…?

You figured it out: whenever your keyring is updated, 'gpg
--check-trustdb' needs to be run.  This is normally done on demand,
which is annoying for even moderately sized keyrings.  You can disable
this behavior by setting no-auto-check-trustdb in your gpg.conf file.
In that case, you'll want to run 'gpg --check-trustdb' periodically to
integrate new keys, expiry information, revocations, etc.  You can do
this in the background via e.g. a cron job.

> 2. I've also tried running --update-trustdb, but it seems that this
>    process is *endless*. I have no idea how many keys remain, and
>    I also got the impression that I keep seeing keys I already
>    processed. How do you approach this? Or does everyone just use
>    tofu these days?

Since I don't trust most people to sign keys correctly, I just invoke
'gpg --edit-key' (and use the trust subcommand) on the specific keys
that I want to have as trusted introducers.

> 3. Is there a way to run --check-trustdb or --update-trustdb not
>    over the entire key graph, but only traversing to a certain depth
>    starting from a specific key? Then I could tell parcimonie to run
>    --check-trustdb for every key it imports, or have mutt run
>    --update-trustdb for every key I want to use. This would
>    iteratively achieve the job with the benefit that no cycles would
>    be wasted processing trust for keys I never use. I understand
>    --edit-key can be used to change the ownertrust, but I don't
>    think it recomputes the WoT on change, does it?
>    If there's no way to do this yet, would this be a useful addition
>    to the UI, assuming it's technically possible?

This isn't easy given the current implementation: GnuPG doesn't store
the graph, but traverses the graph and only saves whether a particular
key is trusted.

> 4. Is there a tool to visualise or explain the computed validity of
>    a key? I.e. one saying that e.g. Werner's key is valid because
>    Daniel signed it, and I fully trust Daniel? There's wotsap, but
>    I want to analyse my own keyring, not a .wot file…

See my answer to #3: this is not currently possible.

> 5. Has anyone come up with a smart way to keep pubring/trustdb
>    synchronised between multiple workstations?

This is a pain.  Something along the lines of the following should

  gpg --export | ssh host gpg --import

:) Neal

More information about the Gnupg-users mailing list