Effects of --default-cert-level

Mon Oct 13 21:03:55 CEST 2025

Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:

> On Mon 2025-10-13 10:51:40 +0100, Daniel Cerqueira wrote:
>> Werner Koch <wk at gnupg.org> writes:
>>> On Fri, 10 Oct 2025 23:51, Daniel Cerqueira said:
>>>
>>>> I am studying GnuPG, and I would like to know what are the effects of
>>>> using '--default-cert-level', besides it adding a number information in
>>>> the output of '--check-sigs' ?  Are there some (other) effects?
>>>
>>> Key signatures have different classes: 0x10 to 0x13 which correspond
>>> with the cert levels.  If you create a self-signature (e.g. new
>>> user-id) level 3 is used.  In all other cases level 0 is used by
>>> default or whatever youset with --default-cert-level.
>>>
>>> When evaluating the validity of a key (building the trustdb) by default
>>> only key signatures of level 0, 2, and 3 are considered.  This can be
>>> changed with --min-cert-level.
>>
>> Thank you for the reply.  I guess that information is enough.
>
> Some of the regular readers of this list (including myself) think that
> the cert-level features in gpg (and the certification levels in the
> underlying standard, OpenPGP) are misfeatures.  Leaving things as the
> default is the most reasonable way to go:
>
>    https://dkg.fifthhorseman.net/blog/gpg-ask-cert-level-considered-harmful.html
>
> Regards,

Hi, Daniel!

First, I want to thank you for the link to your webpage.

Second, I will be expressing my opinion about this issue.  It is *my
personal* opinion.  I am not trying to make you, or anyone else, adopt
this same opinion.

Reading the webpage at the URL above, I could only find one thing that
stuck with me.  It was the argument that using --default-cert-level may
reveal my social graph (to big brother agent smith).

Later, I came to the conclusion that this is not a valid argument.

GnuPG states that the certification levels are from "no opinion", to
"persona", to "casual", to "extensive".  These words are very ambiguous,
evoking a personal (relative) standpoint.  Not an absolute way of
evaluating.  A "casual" certification level to me, may be different from
a "casual" certification level in other person's mind.  Which means that
it does not reveal the people that I like, and does not reveal my social
graph, at all.

It just reveals how accurate I am assuring some key's information is.

I also want to add, that I love the way that GnuPG separated the
certification level into 4 levels.  "No opinion" level means silence.
"Persona" means negative.  "Casual" means neutral.  "Extensive" means
positive.  To me, this levels perfectly reveals real-world concepts.
GnuPG just uses the specific words, in the scope of certifying keys,
taking these real-world concepts as the deeper framework.

Cheers for Freedom,

CONFIDENTIALITY WARNING The information transmitted in this message is
for the exclusive use of the person or entity to which it is addressed
and might contain privileged and or confidential information.  If you
are not the intended recipient of this message, you are prohibited
from printing, duplicating, disseminating or otherwise using or acting
in reliance upon this information.  If you have received this message
in error, please notify the sender immediately, delete this
information from your computer and destroy all copies.

GDPR SECURITY I use end-to-end encryption on my communications by
emails.  You should too!  Ask me "How can I also end-to-end cipher my
communications by email?", and I'll share how.

-- 
The pioneers of a warless world are the youth that
refuse military service. ~ Albert Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 861 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251013/d3bcaf1e/attachment-0001.sig>