Effects of --default-cert-level
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Oct 13 19:13:33 CEST 2025
On Mon 2025-10-13 10:51:40 +0100, Daniel Cerqueira wrote:
> Werner Koch <wk at gnupg.org> writes:
>> On Fri, 10 Oct 2025 23:51, Daniel Cerqueira said:
>>
>>> I am studying GnuPG, and I would like to know what are the effects of
>>> using '--default-cert-level', besides it adding a number information in
>>> the output of '--check-sigs' ? Are there some (other) effects?
>>
>> Key signatures have different classes: 0x10 to 0x13 which correspond
>> with the cert levels. If you create a self-signature (e.g. new
>> user-id) level 3 is used. In all other cases level 0 is used by
>> default or whatever youset with --default-cert-level.
>>
>> When evaluating the validity of a key (building the trustdb) by default
>> only key signatures of level 0, 2, and 3 are considered. This can be
>> changed with --min-cert-level.
>
> Thank you for the reply. I guess that information is enough.
Some of the regular readers of this list (including myself) think that
the cert-level features in gpg (and the certification levels in the
underlying standard, OpenPGP) are misfeatures. Leaving things as the
default is the most reasonable way to go:
https://dkg.fifthhorseman.net/blog/gpg-ask-cert-level-considered-harmful.html
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 324 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251013/bc310987/attachment.sig>
More information about the Gnupg-users
mailing list