[wellylug] Meeting next week (GPG Key signing)
Olly Betts
olly at survex.com
Sun Jun 15 11:48:06 NZST 2014
On Sun, Jun 15, 2014 at 02:44:33AM +1200, Richard Hector wrote:
> On 15/06/14 00:40, Michael Fincham wrote:
> > 0 means you make no particular claim as to how carefully you
> > verified the key.
> >
> > 1 means you believe the key is owned by the person who claims to
> > own it but you could not, or did not verify the key at all. This
> > is useful for a "persona" verification, where you sign the key of
> > a pseudonymous user.
[...]
> Interesting. Looking at --list-sigs for my key, I can see that all are
> level 0 except my own signatures on my own key, which are level 3.
> That makes sense, I guess.
>
> The bit that seems more alarming is this bit from the manpage:
> - --min-cert-level
> When building the trust database, treat any signatures with a
> certification level below this as invalid. Defaults to 2, which
> disregards level 1 signatures. Note that level 0 "no particular
> claim" signatures are always accepted.
>
> That seems to imply that I have to always trust the default level 0
> signatures, despite them being the least trustworthy. Or am I reading
> that wrong?
0 is more like "level of trust not specified" than "not very
trustworthy"; 1 is making an explicit statement that the signer
didn't verify identity of the other party.
Cheers,
Olly
More information about the wellylug
mailing list