Two GCC stories

Posted Jun 30, 2010 17:14 UTC (Wed) by ptman (subscriber, #57271)
In reply to: Two GCC stories by ptman
Parent article: Two GCC stories

I shouldn't post stuff when tired. I just realized that I forgot to take the next step in GPG's web-of-trust. Of course if your trust in a key that isn't signed by yourself is affected by the trust of someone else in that key, they enjoy your trust in more ways than that which I claimed was the only way GPG considers trust.

TL;DR Nevermind. Ignore what I said.

to post comments

PGP trust

Posted Jun 30, 2010 18:18 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

PGP even makes this explicit, and documents the difference, explaining that you may want to sign the identity of your naive best friend Bill on his key, knowing that it's really his key, but not trust him to authenticate other people's keys. Bill's naivety doesn't make his key any less authentic, but it makes his claims about the identities associated with other keys untrustworthy because he is easily fooled.

Further, PGP lets you "score" this property and set rules like "if the scores of the people who've signed this identity add up to 14 or more then assume it is real". This is in practice too advanced for most users, but it's there if you have a real use case for the web of trust.