Mailing List Archive

On Tue, 21 Jul 1998, Raj Laud wrote:

> Due to the (understandable) lack of documentation for GPG right now, I'm not
> sure how trust is handled for keys. Could someone please explain to me how
> this works and how to edit or even view the trust values for certain keys?
> Sorry about my ignorance but I'm new to gpg.

Raj,

While I don't know how the trust model works, I have managed to get a pair
of gpg keys working that can communicate with each other. It took some
doing the first time so I decided to write the steps out. Of special
interest was that the first time it didn't work right, but I experimented
and deleted the trust database and that made things work.

I'm part way through a short document that I created to help organize my
thoughts as I worked with gpg. Basically, I'm using qmail aliases to
forward messages between two machines while passing them through gpg to
encrypt/decrypt them before and after. Basically a safer solution than
raw email forwarding if you have two trusted networks that you want email
forwarded between.

The short document currently contains the blow-by-blow process I went
through creating two key rings, and giving one to the other so that it
could automatically encrypt messages to it. If anyone is interested it is
at http://www.technocage.com/~caskey/gpg.html The page mentions the
package I'm working on but doesn't contain any of the details about it so
ignore those parts.

Hope this helps some,

C=)

P.S. The document isn't done being formatted and I was experimenting with
color to make it easier to locate the parts I typed in so try not to
notice the look.

P.P.S. I just copied the document over from our intranet and I don't have
a regular public home page so you won't see any pointers there, you have
to go directly to gpg.html.

--------------------------------------------------------------------------
"Wish not to seem, but to be, the best." -- Aeschylus
--------------------------------------------------------------------------
Caskey <caskey*technocage.com> /// pager.818.698.2306
TechnoCage Inc. ///| PGP Key ID:0x7BBD08DC
--------------------------------------------------------------------------
Maybe everyone's driving a minivan with ego in the front seat,
inadequacy fighting in the back seat and nobody really paying
attention to the road. -- Bradt

Raj Laud <rlaud@io.com> writes:

> Due to the (understandable) lack of documentation for GPG right now, I'm not
> sure how trust is handled for keys. Could someone please explain to me how
> this works and how to edit or even view the trust values for certain keys?

It works more or less like PGP. The difference is, that the trust is
computed at the time it is needed; this is one of the reasons of the
trustdb which holds a list of valid key signatures. If you are not
running in batch mode you will be asked to assign a trust parameter
(ownertrust) to a key. I have plans to use a cache for calculated
trust values to speed up calcualtion.

You can see the calculated trust value using this:

gpgm --list-keys --with-colons

If the first field is "pub", the second field shows you the trust:

case TRUST_UNKNOWN: c = 'o'; break;
case TRUST_EXPIRED: c = 'e'; break;
case TRUST_UNDEFINED: c = 'q'; break;
case TRUST_NEVER: c = 'n'; break;
case TRUST_MARGINAL: c = 'm'; break;
case TRUST_FULLY: c = 'f'; break;
case TRUST_ULTIMATE: c = 'u'; break;

You can get a list of the assigned ownertrust values:

gpgm --list-ownertrust

The first field is the fingerprint of the primary key, the second one
the assigned value:

#define TRUST_UNKNOWN 0 /* o: not yet calculated */
#define TRUST_EXPIRED 1 /* e: calculation may be invalid */
#define TRUST_UNDEFINED 2 /* q: not enough information for calculation */
#define TRUST_NEVER 3 /* n: never trust this pubkey */
#define TRUST_MARGINAL 4 /* m: marginally trusted */
#define TRUST_FULLY 5 /* f: fully trusted */
#define TRUST_ULTIMATE 6 /* u: ultimately trusted */


I'm working on commands to edit the ownertrust values.


We need a lot more testing for this code - but wait until have done
the new design of the trust stuff.
Code for trust handling is in g10/trustdb.{ch} and g10/pkclist.c


Hope this helps,

Werner