Modernizing Web-of-trust for Organizations

Lou Wynn lewisurn at
Wed Jan 3 22:46:16 CET 2018

I just realized that I overloaded the meaning of signature verification.
Here, signature verification, both in my previous discussion and in the
receiver's UI, also includes the certificate verification described in
2.b, in addition to traditional signature verification.


On 01/03/2018 01:04 PM, Lou Wynn wrote:
> Yes, "trusted" keys do not mean much without contexts. There are few
> contexts to see what trustworthiness means.
> 1. From certificate verification point of view, a trusted key means that
> the certificate is verified to be in the same trust realm or in the same
> trust group with the receiver.
> 2. From the user interface point of view, a trusted key is reflected by
> marking the sender's signature is verified, and an untrusted key is
> marked by the warning that the signature cannot be verified. An
> automated or manual process can be applied to delete or quarantine
> messages whose signature verification fails. The screenshots on the web
> link show this intuitive UI. Of course, the final decision about what to
> do with such messages is up to the receiver. The warning of signature
> verification makes the receiver aware of the sender status, which is
> either certified to be in the same trust realm/group or not being
> certified as such.
> Thanks,
> Lou

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gnupg-users mailing list