Mailing List Archive

Hi Christoph,

Am So den 2. Jan 2022 um 14:39 schrieb Christoph Klassen via Gnupg-users:
> in the GNU Privacy Handbook there are mentioned two levels of trust and
> validation: marginal and full
> (https://www.gnupg.org/gph/en/manual.html#AEN335). Is this information still
> correct?

Yes. But depends on your trust-model setting (see man page).

> Because, when I edit the trust of a key, I can select both if these
> options, but can also decide to trust a key ultimately. That's why I was
> wondering, if there are still only the two levels and if the conditions for
> a valid key are still the same.

The trust "ultimative" should only set to your very own keys! You
never use that setting for anything else.

The trust "full" is for keys that are fully trusted, either by you
having signed it with an ultimative trusted key or depending on the
trust model by signed from multiple other trusted keys or by TOFU...

The trust "marginal" is for keys that got not enough trust to be fully
trusted.

Regards
Klaus
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

Hello Klaus,

On 02.01.22 15:05, Klaus Ethgen wrote:
> Yes. But depends on your trust-model setting (see man page).

Okay, I will read it. Sounds interesting because developers could decide
to display the level of validation in their application, but if users
change the settings, this could stop working.


> The trust "ultimative" should only set to your very own keys! You
> never use that setting for anything else.

I already thought that I shouldn't do this. But, wouldn't it be the same
as when I sign a key? In the end both ways show that I trust the key and
if I sign a key I do trust it ultimately.


Greetings,

Christoph



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Sonntag, 2. Januar 2022 16:45:47 CET Christoph Klassen via Gnupg-users
wrote:
> On 02.01.22 15:05, Klaus Ethgen wrote:
> > Yes. But depends on your trust-model setting (see man page).
>
> Okay, I will read it. Sounds interesting because developers could decide
> to display the level of validation in their application, but if users
> change the settings, this could stop working.

Developers should always use gpg (e.g. via gpgme) to calculate the level of
validation.

> > The trust "ultimative" should only set to your very own keys! You
> > never use that setting for anything else.
>
> I already thought that I shouldn't do this. But, wouldn't it be the same
> as when I sign a key? In the end both ways show that I trust the key and
> if I sign a key I do trust it ultimately.

Please be very careful to differentiate between owner trust and (level of)
validity. Unfortunately, very often people shorten both to "trust".

First, you don't trust keys similarly as you don't trust id cards. You trust
(or don't trust) the "owner" of a key that they are doing a proper job when
they sign other keys similarly as you trust or don't trust the issuers of id
cards that they are doing a proper job when they certify the identity of the
id card holder.

Now let's look at your above statement.
> But, wouldn't it be the same
> as when I sign a key? In the end both ways show that I trust the key and
> if I sign a key I do trust it ultimately.

No, it wouldn't be the same. Let's assume you have only two keys A and B in
your key ring that are not your own keys. Let's further assume that key B is
signed with key A. (And let's assume the default trust model is used by gpg.)

If you sign key A, then key A will be considered valid by gpg but key B will
not be considered valid by gpg (unless you also signed key B).

If you set the owner trust of key A to "ultimate", then key A will be
considered valid by gpg (because ultimate owner trust implies full validity)
and key B will also be considered valid by gpg (because it has been signed
with a key whose owner you assigned ultimate trust).

Now, if you sign key A and set the owner trust of key A to "full", then key A
and key B will be considered valid by gpg.

With regard to the validity of the two keys A and B the result of the last two
cases are the same. But the semantics of key signatures and owner trust are
completely different.

You can share key signatures with other people (by exporting the public key
including your signatures), but you usually don't share the owner trust you
have assigned to keys with other people. The reason is simple: People may
trust you to do a proper job certifying keys you sign (e.g. by verifying the
identity of the owners of keys), so that they may tell their gpg to trust your
signatures. But people will most likely have a very different idea about whom
they trust.

Regards,
Ingo

On Sun, 02 Jan 2022 19:45:27 +0100
Ingo Klöcker <kloecker@kde.org> wrote:

> With regard to the validity of the two keys A and B the result of the
> last two cases are the same. But the semantics of key signatures and
> owner trust are completely different.

Sorry, I didn't say clear enough what I meant. For me personally it
wouldn't make any difference, if I sign a key or trust it (or better:
the owner) ultimately. In the end both keys are valid. And for others
there would also be no difference, if I would sign a key only locally.

Only if I sign a key and upload it, it would make a difference because
the owner trust only affects the keys in my keyring, but the signed key
affects the validation, if other people own it.

Back to the question:
> > But, wouldn't it be the same
> > as when I sign a key? In the end both ways show that I trust the
> > key and if I sign a key I do trust it ultimately.

Practically it depends on if I upload the key. If I don't upload it, it
wouldn't make any difference. But, as you said, the semantics are
different.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users