Modernizing Web-of-trust for Organizations

Lou Wynn lewisurn at
Wed Jan 3 22:04:38 CET 2018

On 01/03/2018 11:21 AM, Daniel Kahn Gillmor wrote:
> Hi Lou--
> On Tue 2018-01-02 23:02:08 -0800, Lou Wynn wrote:
>> b. Its employees and business partners do not manually manage their own
>> keys and trust relationship, and the administrator centrally manages all
>> certificates and trustworthiness for the organization.
> backing up a bit here -- what kind of "trustworthiness" are you talking
> about in your proposal?  your description includes several uses of the
> word "trust", but no clear explanation of what that trust entails.
> saying that keys are "trusted" doesn't mean much on its own.  What is a
> "trusted" key allowed to do that an "untrusted" key is not allowed to
> do?
>         --dkg

Yes, "trusted" keys do not mean much without contexts. There are few
contexts to see what trustworthiness means.

1. From certificate verification point of view, a trusted key means that
the certificate is verified to be in the same trust realm or in the same
trust group with the receiver.

2. From the user interface point of view, a trusted key is reflected by
marking the sender's signature is verified, and an untrusted key is
marked by the warning that the signature cannot be verified. An
automated or manual process can be applied to delete or quarantine
messages whose signature verification fails. The screenshots on the web
link show this intuitive UI. Of course, the final decision about what to
do with such messages is up to the receiver. The warning of signature
verification makes the receiver aware of the sender status, which is
either certified to be in the same trust realm/group or not being
certified as such.


More information about the Gnupg-users mailing list