WoT question - policy

Wiktor Kwapisiewicz wiktor at metacode.biz
Fri Nov 16 10:32:36 CET 2018


On 16.11.2018 00:40, Dirk Gottschalk via Gnupg-users wrote:
> There's documentation about the trustdb. I read it a while ago, but not
> entirely. You can also set the amount of needed signatures for the
> trust calculations and so on. Then comes the trust deepness into play.
> I also have to read further because I want to "abuse" GnuPG for an
> email controlled bot system inside a bigger company as part of the
> security concept. The commands shall be encrypted and signed and some
> function should be usable by "unknown" users with the needed trust
> level and so on.

For people interested these two articles by Konstantin Ryabitsev go into details
of how things are calculated:

https://www.linux.com/learn/pgp-web-trust-core-concepts-behind-trusted-communication

https://www.linuxfoundation.org/blog/2014/02/pgp-web-of-trust-delegated-trust-and-keyservers/

In may be initially hard to digest but the amount of knowledge these articles
are packed is unparalleled, and, actually there are no other resources on this
subject I could find (GnuPG manual has a description but IMHO Konstantin's more
clear).

As for the sigs, sig1 are ignored in GnuPG by default, everything else has the
same value. So if Stefan's friends trust his key fully, all keys he's signed
will be equally valid.

On the other matter I doubt anyone would have a serious problem by signing
someone else's key regardless of circumstances. Signing documents, maybe, as
that would qualify as an Advanced Electronic Signature but signing (certifying)
keys? They are technically similar but that's all.

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor



More information about the Gnupg-users mailing list