Need help understanding the difference between assigning owner trust and key validity.

Joseph Oreste Bruni jbruni at me.com
Sat Jun 13 08:55:05 CEST 2009 

On Jun 12, 2009, at 11:24 PM, Steven W. Orr wrote:

> There's a pgp concept that I'm not comfortable with. It has to do  
> with the
> difference between owner trust and key validity. And I say  
> comfortable, not
> because I don't like it or that I don't think it doesn't work; I  
> just don't
> feel like I understand it well enough to be doing it right.
>
> When I got your key, AND I know it came from you, then I set your  
> key in my
> ring with owner trust of "trusted". But I didn't set the key  
> validity. My
> understanding is that if I set your key validity then I'm signing my
> public key with your public key. (Someone please correct me if I'm  
> way off.)


The difference between key validity and owner trust is in the object  
of the trust.

If you trust the key, in that you have verified that the user ID  
contained on the key does indeed belong to its holder, you indicate  
your trust in the key by signing the key. Since your key is explicitly  
set to ultimate owner trust, you will automatically consider any key  
signed by you to be valid.

Owner trust is how you express confidence in the owner of the key to  
validate other people's keys. If a key belongs to a person who is  
sloppy about signing other keys, you would assign them a low owner  
trust (or even none). On the other hand, if you know that someone is  
very diligent about vetting keys, you could assign them a high owner  
trust.

What does this do for you? Mostly, it's a time saver for yourself. If  
you receive a 100 keys from various individuals, you could be diligent  
in verifying each and every one of them before you sign those keys.  
Once you sign a key, it is considered valid.

Otherwise, say 90% of those keys were already signed by someone you  
know is diligent about verifying keys. If you assigned that person a  
high owner trust, those 90 keys would be automatically considered  
valid by you, and you'd only need to verify the remaining 10.

A marginal owner trust is for people that might do a good job of  
verifying a key's UID. In which case you would consider valid any key  
signed by three such individuals.

There are two types of signatures at this point: local and exportable.  
If your signature on the key is local only, then your signature on the  
key will not be exported should you choose to export the key to  
another location (e.g. a keyserver). If your signature is exportable,  
your signature will be appended to the key when you send that key  
onward. If other people trust you to validate UID's by assigning a  
high owner trust to your key, they will automatically consider valid  
any such keys signed by your key.

In the X.509 certificate model, high owner trust is granted by you  
implicitly when you hold a certificate authority's root certificate.  
Any certificate signed by the chain of CA's that terminate at a  
trusted root certificate is automatically trusted (valid).

Joe

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2557 bytes
Desc: not available
URL: </pipermail/attachments/20090612/973fcdb5/attachment.bin>

More information about the Gnupg-users mailing list