This is to confirm my understanding of an important aspect of the way GnuPG works:
When you decide whether to trust a signature, there are two questions that must be asked: a) Does the key used to make this signature really belong to the person named in the certificates's UID? b) Given that the key is valid, is the person trustworthy? GnuPG and the web-of-trust concept only manage information related to the first question. GnuPG provides no means of encoding or storing the fact that a person is or is not trustworthy; it merely displays the UID when verifying a signature, and the user is left to decide whether the person should be trusted. Am I correct in this? Thanks, Kerrick Staley _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
