On Tue, 14 Jun 2011 12:16:31 -0500, Kerrick Staley <[email protected]> wrote: > a) Does the key used to make this signature really belong to the > person named in the certificates's UID? > b) Given that the key is valid, is the person trustworthy?
These are the two Big Questions, yes: "do I have the correct certificate?" and, "do I trust the issuer?" You have these two questions correct. > GnuPG provides no means of encoding or storing the > fact that a person is or is not trustworthy Kind of. You can certainly do things with different signature classes to denote distrust, but few people do this. You can also set a certificate's trust to "I do NOT trust," IIRC -- it's been some years since I've needed to do that. >From a pedantic standpoint, GnuPG offers some tools you can use to state "I do not find this certificate issuer trustworthy." >From a practical standpoint, those tools are hardly ever used, so you're basically correct. _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
