On Tue, Jan 24, 2012 at 03:13:46PM -0300, Faramir wrote: > Well, if Trent signs Alice key, Bob, who trust Trent, might sign her > key too. Charly doesn't know Trent, but he trusts Bob's judgement, so > he might accept Alice's key as valid, not because of Trent's > signature, but because of Bob's signature. Also, maybe Trent only > signs keys if 2 persons have checked it, but he just sign it once, > that signature doesn't reflect the amount of people having checked it.
This is why OpenPGP implementations have trust settings. If Bob trusts Trent's assertions, then he can give Trent full trust and Bob's implementation will believe that Alice's key belongs to Alice. There's no need to sign the key. If I truly believe that a key belongs to someone that I have seen use it for several years and that is trusted by numerous other people, but I have not verified the connection between that person's identity and key myself, I use a local signature. That way I don't have other people rely on my assertion if I haven't done the amount of checking that I would like to before making a public statement. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
