On Jun 12, 2009, at 11:24 PM, Steven W. Orr wrote:
There's a pgp concept that I'm not comfortable with. It has to do with the difference between owner trust and key validity. And I say comfortable, not because I don't like it or that I don't think it doesn't work; I just don'tfeel like I understand it well enough to be doing it right.When I got your key, AND I know it came from you, then I set your key in my ring with owner trust of "trusted". But I didn't set the key validity. Myunderstanding is that if I set your key validity then I'm signing mypublic key with your public key. (Someone please correct me if I'm way off.)
The difference between key validity and owner trust is in the object of the trust.
If you trust the key, in that you have verified that the user ID contained on the key does indeed belong to its holder, you indicate your trust in the key by signing the key. Since your key is explicitly set to ultimate owner trust, you will automatically consider any key signed by you to be valid.
Owner trust is how you express confidence in the owner of the key to validate other people's keys. If a key belongs to a person who is sloppy about signing other keys, you would assign them a low owner trust (or even none). On the other hand, if you know that someone is very diligent about vetting keys, you could assign them a high owner trust.
What does this do for you? Mostly, it's a time saver for yourself. If you receive a 100 keys from various individuals, you could be diligent in verifying each and every one of them before you sign those keys. Once you sign a key, it is considered valid.
Otherwise, say 90% of those keys were already signed by someone you know is diligent about verifying keys. If you assigned that person a high owner trust, those 90 keys would be automatically considered valid by you, and you'd only need to verify the remaining 10.
A marginal owner trust is for people that might do a good job of verifying a key's UID. In which case you would consider valid any key signed by three such individuals.
There are two types of signatures at this point: local and exportable. If your signature on the key is local only, then your signature on the key will not be exported should you choose to export the key to another location (e.g. a keyserver). If your signature is exportable, your signature will be appended to the key when you send that key onward. If other people trust you to validate UID's by assigning a high owner trust to your key, they will automatically consider valid any such keys signed by your key.
In the X.509 certificate model, high owner trust is granted by you implicitly when you hold a certificate authority's root certificate. Any certificate signed by the chain of CA's that terminate at a trusted root certificate is automatically trusted (valid).
Joe
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
