MFPA: >> Trust is not transitive. If A trusts B and B trusts C, >> there is no requirement that A trusts C. > > In real life, true. But what about the GnuPG default of trusting a key > that carries certifications from 1 fully trusted or 3 marginally > trusted keys. Unless you manually inspect each trust path, how would > you spot unknown keys from past real-life associates you distrusted?
You're mixing concepts. Trusting someone to vouch for others' keys validity in *not* the same as believing someone else's key is valid. I think, what Robert meant (and feel free to correct if I'm off here) is he wouldn't trust certifications from that "ex-CEO Ben", but there's nothing wrong really if one or several persons whom Robert trusts certify "Ben's" key. In GnuPG, you assign trust levels manually. In turn, GnuPG computes validity automatically. Trust doesn't gets transferred from one key to another. Validity does (in a sense). -- Vlad "SATtva" Miller 3d viz | security & privacy consulting www.vladmiller.info | www.pgpru.com _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
