Stefan Claas stefan.claas at
Fri Jun 30 20:01:50 CEST 2017

On Fri, 30 Jun 2017 18:38:45 +0200, Peter Lebbing wrote:

> Somebody could put their own public key in your keyring, assign that
> Ultimate trust, and then certify another public key they wish to pop
> up as valid. Ultimately trusted keys make other keys valid by their
> certification. There is no way to see any difference between a key
> that is fully valid because your own ultimately trusted key signed it
> or because the attackers ultimately trusted key signed it. And since
> the ultimately trusted key of the attacker isn't the one doing data
> signatures, your "alternative colour" will not trigger.

Correct. But what i mean was an attacker would replace on of my pub
keys (which i signed) with one he/she only replaced with one that
has only the Trust Level set to Ultimate, resulting in both keys
showing up with a green bar.

According to (i'm no programmer) RFC 4880 OpenPGP Message Format:  Trust Signature      	Page 30

5.10.      Trust Packet (Tag 12)	Page 47

Those are imho two different things and therefore should not be
handled with the same color output.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: Digitale Signatur von OpenPGP
URL: </pipermail/attachments/20170630/9399fbd0/attachment-0001.sig>

More information about the Gnupg-users mailing list