trust-model and federated lookups

Neal H. Walfield neal at
Mon Oct 25 15:12:06 CEST 2021

Hi Phil,

On Fri, 22 Oct 2021 17:00:11 +0200,
Phil Pennock via Gnupg-users wrote:
> When evaluating the trust we have in the identity attached to a key, I
> often see "WARNING: We have NO indication whether the key belongs to the
> person named as shown above"; at the same time, `--with-key-origin` for
> the very same key will show "origin=wkd".
> GnuPG uses the trust-model option to decide how to evaluate the trust we
> have in a key.  I've looked through the options, and checked the release
> notes for the 2.3.x series to confirm nothing new there.
> I'm currently using "trust-model tofu+pgp"/"tofu-default-policy unknown"
> I think what I _want_ is `trust-model pgp+federated+tofu`, which means,
> in order: (1) any sigs from the WoT; (2) origin information from the
> key, if the origin shows the key was safely retrieved from a federated
> origin in a provable way (WKD, various DNSSEC storage options, etc); (3)
> TOFU as a fallback if there's nothing better.
> I might even just want `trust-model pgp+federated` if I'm feeling more
> cautious.  But in reality tofu helps a little.
> Does this make sense to people?  Is there a security problem with this?
> Does this seem like a reasonable feature request?

This absolutely makes sense.  One way to model this in the web of
trust is to imagine that you have a "WKD key," which you consider a
partially trusted introducer, and which certifies keys that you
retrieve via WKD.  Practically, it's a bit more complicated using the
available mechanisms.

:) Neal

More information about the Gnupg-users mailing list