On 16.11.2018 00:40, Dirk Gottschalk via Gnupg-users wrote: > There's documentation about the trustdb. I read it a while ago, but not > entirely. You can also set the amount of needed signatures for the > trust calculations and so on. Then comes the trust deepness into play. > I also have to read further because I want to "abuse" GnuPG for an > email controlled bot system inside a bigger company as part of the > security concept. The commands shall be encrypted and signed and some > function should be usable by "unknown" users with the needed trust > level and so on.
For people interested these two articles by Konstantin Ryabitsev go into details of how things are calculated: https://www.linux.com/learn/pgp-web-trust-core-concepts-behind-trusted-communication https://www.linuxfoundation.org/blog/2014/02/pgp-web-of-trust-delegated-trust-and-keyservers/ In may be initially hard to digest but the amount of knowledge these articles are packed is unparalleled, and, actually there are no other resources on this subject I could find (GnuPG manual has a description but IMHO Konstantin's more clear). As for the sigs, sig1 are ignored in GnuPG by default, everything else has the same value. So if Stefan's friends trust his key fully, all keys he's signed will be equally valid. On the other matter I doubt anyone would have a serious problem by signing someone else's key regardless of circumstances. Signing documents, maybe, as that would qualify as an Advanced Electronic Signature but signing (certifying) keys? They are technically similar but that's all. Kind regards, Wiktor -- https://metacode.biz/@wiktor _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
