How trust works in gpg...
David Shaw
dshaw at jabberwocky.com
Tue Apr 15 19:32:17 CEST 2008
On Tue, Apr 15, 2008 at 09:37:45AM -0400, Mark H. Wood wrote:
> On Tue, Apr 15, 2008 at 01:23:01PM +0100, Peter Lewis wrote:
> > So I guess my question is: is this a guide for me, and then I should manually
> > set the trust level on key F myself (if I am satisfied that the chains
> > exist), or should gpg do this automatically for me based on the parameters in
> > my gpg.conf? It doesn't seem to be calculating anything automatically at the
> > moment.
>
> What it is meant to do I can't say, but I hope that it does *not*
> assign trust to others' keys automatically.
It does not. When you sign a key, you make that key *valid*, which
just means "I believe this key does belong to the person it claims to
belong to". When you set *trust* (aka "ownertrust") on that key, you
are saying "I believe the person who owns this key makes signatures
that I am willing to rely on".
> I may trust B's handling of his own keys, but not trust B's judgments
> about F's handling of *his* keys. The safest thing for gpg to assume
> is that I assign no trust at all until I have instructed it
> otherwise. B's signature on F's key is information that I might take
> into consideration, but I might (for example) decide merely to
> remember that datum and observe F's behavior for a while before
> trusting F's key.
Yep.
David
More information about the Gnupg-users
mailing list