How to check the trust level

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Nov 21 23:47:13 CET 2009 

On 11/21/2009 01:48 PM, ratzip wrote:
> If some one has signed my key and set the trust level
> on my key, how could I check the trust level he set?
> which commands should I use?

For the typical way that GPG manages ownertrust, that information is not
published (or publishable) at all.

In the unlikely event that your contact has made a Trust Signature
(tsig) [0] (and did not mark it as non-exportable) then the signature
could be found on public keyservers, and viewed in gpg with gpg
--list-sigs.  A trust signature will have a number immediately to the
left of the key ID indicating the depth of the indicated trust.  If your
key is DEADBEEF, and the other person is DECAFBAD, and they indicated a
depth=1 trustsig it would look like this:

test at foo:~ $ gpg --list-keys DEADBEEF
pub   4096R/DEADBEEF 2008-06-02 [expires: 2012-06-02]
sig 3        DEADBEEF 2008-06-02  Me Me Me! <me at example.com>
sig        1 DECAFBAD 2009-02-20  That other guy <otherguy at example.net>

note that the column with the "3" in it shows the strength of the
certification, as David Shaw mentioned -- your self-signature is
normally certified strongly, as in "i have done very careful checking".

The column with the "1" in it is the trust depth.  in this case, it says
"i believe in the certifications made by this key, but i'm not willing
to accept tsigs made by this keyholder."

If you want even more details about the trust sig, you could feed your
key through "gpg --list-packets" like this:

 gpg --export DEADBEEF | gpg --list-packets

You should be aware that very few people use trust signatures to
indicate ownertrust with gpg.  Most people use the privately-held,
simpler trust designation.

Also, using a trustsig leaks additional information to the general
public that simple certification does not include.  namely, it indicates
a statement of belief in someone's ability to make proper certifications
(and avoid improper ones), in addition to a statement of belief that the
identity of the keyholder is correctly stated.

	--dkg

PS this entire message refers to ownertrust.  As David Shaw has already
mentiond, this concept is entirely different from the concept of
calculated validity, or strength of identity certification.

[0] http://tools.ietf.org/html/rfc4880#section-5.2.3.13

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091121/b5665d75/attachment.pgp>

More information about the Gnupg-users mailing list