get the trust level of an external key

Jbar jeanjacquesbrucker at gmail.com
Wed Jan 18 07:08:46 CET 2012


Le mardi 17 janvier 2012 22:13:52, Daniel Kahn Gillmor a écrit :
> On 01/17/2012 02:50 PM, Jbar wrote:
> > 
> > Is there a way to check the trust level of an external certificate before
> > to import it ? or are we forced to import it, check its trust and then
> > remove it (or not) ?
> 
> If instead, you're talking about the validity of User IDs, you should be
> aware that this is not the same thing as trust (and that it can change
> over time, e.g. as certifications expire, keys are revoked, etc).

Yes, I am talking about validity, I was saying "trust" because it is written as so in some old GnuPG manuals.
Better choice is to designate this both concepts with the words "validity" and "ownertrust", indeed. (Instead of words "trust" and 
"ownertrust").

> 
> In either case, though, it's probably simplest to import the key to get
> gpg to do any sort of sophisticated operations on it.
> 
> if you want to avoid contaminating one particular keyring, you could set
> up multiple GNUPGHOME directories -- one for triage, and once a key has
> passed triage, it could be exported into the "cleaner" keyring.  Whether
> this is a useful arrangement probably depends on the needs and
> implementation of the rest of your system, though.
> 
> hth,
> 
> 	--dkg

I won't like to import the key as in fact I already manage several keyrings. My use is close to something needed relative to the 
RFC 6091 http://tools.ietf.org/html/rfc6091 which you did write with Nikolas Mavrogiannopoulos * :

 I have agents (also called bots) which send their OpenPGP certificate (with sigs), to others. Each agent maintain the same 
keyring, the smallest possible (only minimized valid certificates, and with ownertrust=4:marginal) (and which contain only 
individual/human certificates).
 I then want to check the validity of the agent/bot certificate (according to the individual/human keyring).**

 I have check what GnuTLS does about that : http://www.gnu.org/software/gnutls/manual/html_node/OpenPGP-
API.html#gnutls_005fopenpgp_005fcrt_005fverify_005fring ; and that is not sufficient to detect validity of the certificate, which 
should so be done manually :-(.

 I don't know if GnuTLS use libgpgme, but to test with gpg the validity of an external key may be a great feature, for GnuTLS, 
Monkeysphere, and OpenUDC (our project).

 What do you think ? (Is there someone to code the patch, please ?)

*: _Note 1:_ I don't use RFC6091 or GnuTLS today, because I don't care/need about encryption and don't code in C but with bash to 
develop and test the required software architectures and features faster
**: _Note 2:_ about our indivudual/human and agent/bot certificates, we wrote draft : https://github.com/jbar/open-
udc/blob/master/docs/Authentication_Mechanisms.draft.txt (not completely up to date, comments welcomes).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20120118/9361d480/attachment.pgp>


More information about the Gnupg-devel mailing list