keys require a user-id

Andrew Gallagher andrewg at
Fri May 15 16:43:37 CEST 2020

On 15/05/2020 14:34, Wiktor Kwapisiewicz wrote:
> When you sign someone else User ID it's not your User ID that is doing
> the signing it it's your key that's why you need a key validity that's
> separated from User ID (key validity is calculated from User ID validity).

The inputs to the WoT are the signatures and the ownertrust values, and
the outputs are UID validities. "Key validity" is neither an input nor a
meaningful output of the system. It is useful only as an intermediate
step, together with the ownertrust, in the calculation of another UID's
validity. The practical outworking of any validity calculation is not
"Is this key valid?" but "Is this key valid for this UID?".

Also, the following is incorrect:

> Third-party signatures are made for key fingerprint and User ID but then
> it takes one fully trusted UID (or 3 marginally by default) for the key
> to be considered valid.

It takes one fully trusted certifier (*), or three marginally trusted
certifiers (*) on the *same UID*, for a UID to be considered valid.
Three different UIDs of the same key signed by marginal certifiers do
not increase the validity of the key, otherwise increasing the number of
UIDs on a key could boost its validity, which is perverse. ;-)

(* certification by a key that has at least one valid UID and
(full|marginal) ownertrust)

Andrew Gallagher

More information about the Gnupg-users mailing list