On Jun 14, 2011, at 1:16 PM, Kerrick Staley wrote:
> This is to confirm my understanding of an important aspect of the way
> GnuPG works:
>
> When you decide whether to trust a signature, there are two questions
> that must be asked:
> a) Does the key used to make this signature really belong to the
> person named in the certificates's UID?
> b) Given that the key is valid, is the person trustworthy?
> GnuPG and the web-of-trust concept only manage information related to
> the first question. GnuPG provides no means of encoding or storing the
> fact that a person is or is not trustworthy; it merely displays the
> UID when verifying a signature, and the user is left to decide whether
> the person should be trusted.
Sort of.
For signatures on keys (certifications), when building the web of trust, you
get to specify a trust value (called "ownertrust") that is fed into the web of
trust calculations. This is not "do I trust this keyholder", but rather "do I
trust this keyholder to make good signatures". This influences which keys are
marked as valid in the web of trust ("valid" meaning "we're pretty sure this
key belongs to the person who it claims to belong to").
For example, a signature from someone who you trust to make good signatures can
cause the key they sign to be valid, but you might want two signatures from two
people who you only trust a little bit to make good signatures to make a key
valid.
For signatures on data, this doesn't directly apply. A signature from a valid
key on data is valid.
So the web of trust seeks to give you a), and you have the ability to customize
the web of trust based on your opinion of how well the keyholders make
signatures on other keys.
David
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
