How trust works in gpg...

David Shaw dshaw at jabberwocky.com
Mon May 5 15:06:02 CEST 2008


On May 5, 2008, at 6:46 AM, Faramir wrote:

>> David Shaw escribió:
>> .....
>> If someone wants to sign your key, you then end up with:
>>
>>  KEY + UID + SELFSIG + SIG
>>
>> So SELFSIG is you saying "I bind this KEY and UID together", and SIG
>> is the other person saying "Me too".
>>
>> If you add another UID at this point, you have:
>>
>>  KEY + UID + SELFSIG + SIG + UID + SELFSIG
>>
>> Now, note that the other person hasn't made any statement about
>> whether the second UID is valid.  YOU have, but then, it's your key:
>> you can make any statement you like.  It only becomes believable when
>> someone else adds their "me too".
>>
> I was reading again this message, and I'd like to know: is there any
> point about signing a key _but not giving any trusted status_ ?

Absolutely.  You signing a key means that you believe the key to  
belong to who it claims to belong to.  You are certifying the mapping  
between person (or auto-signing robot, or...) and the key.  Giving  
trusted status to the key means that you trust that person/robot/etc  
to sign other keys.

You signing a key makes that key "valid" in GPG.
You signing a key and assigning trust to it makes other keys *they*  
sign (potentially) valid.

David


More information about the Gnupg-users mailing list