Help With GPG trust model
Ingo Klöcker
kloecker at kde.org
Fri Jun 14 11:48:25 CEST 2024
On Freitag, 14. Juni 2024 03:16:42 CEST Eason Lu via Gnupg-users wrote:
> Thank you Francesco that does help,
> I did not realize that by signing the public key, it is also mark as
> trusted, thanks
"trusted" is an ambiguous word in OpenPGP, i.e. it's use for different things.
By signing a public key (or, more precisely, one or more user IDs of the
public key) you certify that this public key is controlled by the person(s)
referenced in the user ID(s) that you signed. "certified" would be a better
alternative for "trusted" in this case. You can create "local" non‐exportable
certifications for your own use (by using --lsign-key) and exportable
certifications for sharing them with others (--sign-key).
By setting the owner trust of a public key (let's call it "T") to "full trust"
you tell gpg that you trust that the owner of this public key does a good job
when they certify other public keys. If you additionally certify the public
key "T" then your gpg will consider other public keys that are certified with
"T" as "certified". This is (part of) how the web-of-trust works. Owner trust
is never exported with a public key, i.e. its only used for yourself.
When you generate a new key then its owner trust is automatically set to
"ultimate". Public keys with "ultimate" owner trust are considered as
"certified" by gpg without further certifications. You should only use
"ultimate" owner trust for your own keys.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240614/fc0066d1/attachment.sig>
More information about the Gnupg-users
mailing list