On Sonntag, 2. Januar 2022 16:45:47 CET Christoph Klassen via Gnupg-users wrote: > On 02.01.22 15:05, Klaus Ethgen wrote: > > Yes. But depends on your trust-model setting (see man page). > > Okay, I will read it. Sounds interesting because developers could decide > to display the level of validation in their application, but if users > change the settings, this could stop working.
Developers should always use gpg (e.g. via gpgme) to calculate the level of validation. > > The trust "ultimative" should only set to your very own keys! You > > never use that setting for anything else. > > I already thought that I shouldn't do this. But, wouldn't it be the same > as when I sign a key? In the end both ways show that I trust the key and > if I sign a key I do trust it ultimately. Please be very careful to differentiate between owner trust and (level of) validity. Unfortunately, very often people shorten both to "trust". First, you don't trust keys similarly as you don't trust id cards. You trust (or don't trust) the "owner" of a key that they are doing a proper job when they sign other keys similarly as you trust or don't trust the issuers of id cards that they are doing a proper job when they certify the identity of the id card holder. Now let's look at your above statement. > But, wouldn't it be the same > as when I sign a key? In the end both ways show that I trust the key and > if I sign a key I do trust it ultimately. No, it wouldn't be the same. Let's assume you have only two keys A and B in your key ring that are not your own keys. Let's further assume that key B is signed with key A. (And let's assume the default trust model is used by gpg.) If you sign key A, then key A will be considered valid by gpg but key B will not be considered valid by gpg (unless you also signed key B). If you set the owner trust of key A to "ultimate", then key A will be considered valid by gpg (because ultimate owner trust implies full validity) and key B will also be considered valid by gpg (because it has been signed with a key whose owner you assigned ultimate trust). Now, if you sign key A and set the owner trust of key A to "full", then key A and key B will be considered valid by gpg. With regard to the validity of the two keys A and B the result of the last two cases are the same. But the semantics of key signatures and owner trust are completely different. You can share key signatures with other people (by exporting the public key including your signatures), but you usually don't share the owner trust you have assigned to keys with other people. The reason is simple: People may trust you to do a proper job certifying keys you sign (e.g. by verifying the identity of the owners of keys), so that they may tell their gpg to trust your signatures. But people will most likely have a very different idea about whom they trust. Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users