Two GCC stories

Posted Jun 30, 2010 17:06 UTC (Wed) by ptman (subscriber, #57271)
In reply to: Two GCC stories by fsateler
Parent article: Two GCC stories

In GPG you cannot say "I trust this person". What you can say is "I trust this key belongs to who it says it belongs to". It's trust in the key, not in the user. GPG only cares about authenticating the messages, that is verifying that the message is from whoever it claims to be. You would need to have another level of trust on top of GPG to say that you trust some person.

Some version control systems have a list of GPG key fingerprints written down somewhere. If a patch comes in that is signed by one of those keys, it gets merged (or committed, or whatever). That file with the fingerprints and the script that makes the decision to merge is that additional layer on top of GPG.

to post comments

Two GCC stories

Posted Jun 30, 2010 17:14 UTC (Wed) by ptman (subscriber, #57271) [Link] (1 responses)

I shouldn't post stuff when tired. I just realized that I forgot to take the next step in GPG's web-of-trust. Of course if your trust in a key that isn't signed by yourself is affected by the trust of someone else in that key, they enjoy your trust in more ways than that which I claimed was the only way GPG considers trust.

TL;DR Nevermind. Ignore what I said.

PGP trust

Posted Jun 30, 2010 18:18 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

PGP even makes this explicit, and documents the difference, explaining that you may want to sign the identity of your naive best friend Bill on his key, knowing that it's really his key, but not trust him to authenticate other people's keys. Bill's naivety doesn't make his key any less authentic, but it makes his claims about the identities associated with other keys untrustworthy because he is easily fooled.

Further, PGP lets you "score" this property and set rules like "if the scores of the people who've signed this identity add up to 14 or more then assume it is real". This is in practice too advanced for most users, but it's there if you have a real use case for the web of trust.