Levels of validation

Ingo Klöcker kloecker at kde.org
Sun Jan 2 19:45:27 CET 2022 

On Sonntag, 2. Januar 2022 16:45:47 CET Christoph Klassen via Gnupg-users 
wrote:
> On 02.01.22 15:05, Klaus Ethgen wrote:
> > Yes. But depends on your trust-model setting (see man page).
> 
> Okay, I will read it. Sounds interesting because developers could decide
> to display the level of validation in their application, but if users
> change the settings, this could stop working.

Developers should always use gpg (e.g. via gpgme) to calculate the level of 
validation.

> > The trust "ultimative" should only set to your very own keys! You
> > never use that setting for anything else.
> 
> I already thought that I shouldn't do this. But, wouldn't it be the same
> as when I sign a key? In the end both ways show that I trust the key and
> if I sign a key I do trust it ultimately.

Please be very careful to differentiate between owner trust and (level of) 
validity. Unfortunately, very often people shorten both to "trust".

First, you don't trust keys similarly as you don't trust id cards. You trust 
(or don't trust) the "owner" of a key that they are doing a proper job when 
they sign other keys similarly as you trust or don't trust the issuers of id 
cards that they are doing a proper job when they certify the identity of the 
id card holder.

Now let's look at your above statement.
> But, wouldn't it be the same
> as when I sign a key? In the end both ways show that I trust the key and
> if I sign a key I do trust it ultimately.

No, it wouldn't be the same. Let's assume you have only two keys A and B in 
your key ring that are not your own keys. Let's further assume that key B is 
signed with key A. (And let's assume the default trust model is used by gpg.)

If you sign key A, then key A will be considered valid by gpg but key B will 
not be considered valid by gpg (unless you also signed key B).

If you set the owner trust of key A to "ultimate", then key A will be 
considered valid by gpg (because ultimate owner trust implies full validity) 
and key B will also be considered valid by gpg (because it has been signed 
with a key whose owner you assigned ultimate trust).

Now, if you sign key A and set the owner trust of key A to "full", then key A 
and key B will be considered valid by gpg.

With regard to the validity of the two keys A and B the result of the last two 
cases are the same. But the semantics of key signatures and owner trust are 
completely different.

You can share key signatures with other people (by exporting the public key 
including your signatures), but you usually don't share the owner trust you 
have assigned to keys with other people. The reason is simple: People may 
trust you to do a proper job certifying keys you sign (e.g. by verifying the 
identity of the owners of keys), so that they may tell their gpg to trust your 
signatures. But people will most likely have a very different idea about whom 
they trust.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220102/bd8cae9f/attachment.sig>

More information about the Gnupg-users mailing list