Managing the WoT with GPG

Andrew Gallagher andrewg at andrewg.com
Fri Jun 23 11:49:38 CEST 2017


On 2017/06/22 14:34, martin f krafft wrote:
> also sprach Andrew Gallagher <andrewg at andrewg.com> [2017-06-21 15:57 +0200]:
>> I have a quick and dirty tool here:
>> https://github.com/andrewgdotcom/synctrust
> 
> Yeah, that'll do the job, except it blindly overwrites changes made
> locally. It's unlikely this happens, but say I declared your key
> trustworthy last night at home, forgot to run sync, and
> not-trustworthy this morning at the office (sorry, this is just
> a silly example…), and then ran sync, your key would be trustworthy
> again.

Yes, this is a limitation. I did say it was dirty. ;-)

> On the other hand, it'd be totally possible to export ownertrust
> prior to the import, and then fire up vimdiff or the like on the two
> versions. Not exactly a great UID at all.

Not the raw diff, no. But it might be possible to run a diff on the
ownertrusts, ignore any "normal" changes (e.g. where the old/local trust
state was "unknown") and present the user with a list of potentially
dangerous conflicts, such as your unlikely scenario above.

> It'd be better if trustdb would be journalled using a mergeable
> approach.

Trust signatures could trivially implement this, iff it were possible to
ltsign a key without also certifying it. (Feature request?)

> #SyncIsHard

Amen.

A


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170623/1157bd60/attachment.sig>


More information about the Gnupg-users mailing list