On Fri, 30 Jun 2017 18:38:45 +0200, Peter Lebbing wrote: > Somebody could put their own public key in your keyring, assign that > Ultimate trust, and then certify another public key they wish to pop > up as valid. Ultimately trusted keys make other keys valid by their > certification. There is no way to see any difference between a key > that is fully valid because your own ultimately trusted key signed it > or because the attackers ultimately trusted key signed it. And since > the ultimately trusted key of the attacker isn't the one doing data > signatures, your "alternative colour" will not trigger.
Correct. But what i mean was an attacker would replace on of my pub keys (which i signed) with one he/she only replaced with one that has only the Trust Level set to Ultimate, resulting in both keys showing up with a green bar. According to (i'm no programmer) RFC 4880 OpenPGP Message Format: https://tools.ietf.org/html/rfc4880 5.2.3.13. Trust Signature Page 30 5.10. Trust Packet (Tag 12) Page 47 Those are imho two different things and therefore should not be handled with the same color output. Regards Stefan
pgph0bAJyZwZw.pgp
Description: Digitale Signatur von OpenPGP
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
