keys require a user-id

Wiktor Kwapisiewicz wiktor at
Fri May 15 20:14:41 CEST 2020

On 15.05.2020 16:43, Andrew Gallagher wrote:
> The inputs to the WoT are the signatures and the ownertrust values, and
> the outputs are UID validities. "Key validity" is neither an input nor a
> meaningful output of the system. 

Key validity directly influences the "WARNING: This key is not certified
with sufficiently trusted signatures" message that I think is pretty
significant for end-users. If it wasn't meaningful it wouldn't be
printed in the --edit-key dialog.

> It is useful only as an intermediate

> step, together with the ownertrust, in the calculation of another UID's

> validity. The practical outworking of any validity calculation is not

> "Is this key valid?" but "Is this key valid for this UID?".

The argument could be reversed stating that "User ID validity is useful
only as an intermediate step to calculate key validity" and we wouldn't
draw any new knowledge from this. My original point was that key
validity exists.

Also: thanks for bringing my mental shortcut to technical correctness:

> It takes one fully trusted certifier (*), or three marginally trusted

> certifiers (*) on the *same UID*, for a UID to be considered valid.

This could of course be further refining by mentioning ownertrust or
that 0x11: Persona certifications do not contribute to this or that
trust signatures affect the algorithm or...

Kind regards,


More information about the Gnupg-users mailing list