Quoting "Michael W. Lucas" <[EMAIL PROTECTED]>: > I'm trying to learn if there's a tool to trace the web of trust > between two keys. > > For example, suppose I get an email from someone I've never heard of > and want to learn if there is any valid chain of signatures leading > from me to him.
If your using an old version of gnupg, you can use Darxus's sigtrace[1] and mutt-sigtrace[2] to display pgp signature path traces inline with the pgp signature verification of your MUA. (I use mutt) I maintain some newer[3] versions of these same scripts, which works with gnupg's --with-colons mode. The end result isn't quite as pretty, but it does work. You can also use wotsap[4] data to determine a signature path. I discovered it after I'd customized sigtrace for my own use. There are a variety of web-enabled tools to achieve the same results if your only interested in casual tracing. The most well known of these I think is probably Jason Harris's keyserver which can be used by playing with the following url: http://keyserver.kjsl.com/~jharris/gpgwww.cgi?from=0xkeyid&to=0xkeyid Once I started tracing all the pgp keys that I came across, I noticed my attitudes toward key trust changed. For example, I used to think CA Robots were a great idea. Now i tend to not trust any key verified through a CA robot. You really start to appreciate the WoT for what it is when you see it in action all day long. [1] http://www.chaosreigns.com/code/sigtrace/ [2] http://www.chaosreigns.com/code/mutt-sigtrace/ [3] http://charles.mauch.name/code/sigtrace/ [4] http://www.lysator.liu.se/~jc/wotsap/ -- Regards, Charles Mauch
pgp1UVp1mQ1ha.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
