Hello all, I've just stumbled across this question, on Security StackExchange, but it has no satisfactory answers, so I'd thought to relay it here. Basically, it asks whether after a GPG signing party, you still have to assign trust values to all the key (or rather the keys' owners) in order to have a meaning full web of trust. Finding myself asking the same question, I quote the question:
« I might be totally misunderstanding the concept of web-of-trust, but imagine the following scenario: I generate my key, then go to a key signing party, and after, I import all the keys which fingerprint I have verified, and sign those. Now, this will make all those keys fully valid, but the default trust for each key will still be set to the default, i.e. "unknown". Which means that if I now import a new key, even if this new key has enough (*) signatures from those, it still won't be considered valid, because none of those keys is trusted. Which means that for key signing parties to have some usefulness, we must set those keys' trust to at least marginally trusted. Right? Or am I making some mistake somewhere in my reasoning? (*) - In GPG's default security model, i.e. one sig from a fully trusted key, or 3 from marginally trusted keys. » http://security.stackexchange.com/questions/52102/gpg-key-trust-after-a-signing-party Thanks for your help! -- Óscar Pereira
pgpO5_8SkWtEA.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
