[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
On Monday 04 Aug 2003 11:15 pm, Simon Waters wrote: > What I'm curious about is how to utilise the web of trust more effectively. Have you tried: http://www.lysator.liu.se/~jc/wotsap/ It indicates the strongest path between two keys. You -> Chris Boyle -> 1 of 5 including Edward Betts -> Bradley > I was trying to establish a chain of trust to bkuhn@xxxxxxx DB41B387. It depends on what you've set for trust in how well Edward Betts verifies key fingerprints etc. KGpg gives Edward Betts and Chris Boyle as fully trusted in my keyring. Bradley then gets a marginal trust. This is related to having my key signed by Phil Brooke's key and by Kai's (Kai has signed Edward Betts' key) - I trust their standards of key verification so keys that they have signed get fully trusted status in my keyring. However, I don't know Ed Betts or Chris Boyle, so I cannot trust their verification of Bradley, so he becomes marginal trust. Anyone who's key is only signed by Bradley Kuhn gets unknown trust. I sign a key -> that key is fully trusted. (Yours, Phil Brooke, Neil S, etc.) You sign a key -> that key shows as fully trusted because I've edited the trust on YOUR key to say how much I trust your verification. (Mad fool that I am). So Chris Boyle shows as fully trusted (because of you), as does Edward Betts (because of Kai). Next level up in the chain is marginal, beyond that is unknown. (There are exceptions). In your case, Chris Boyle has signed your key so I presume you've set him to full trust in gpg? What does Kgpg show for Edward Betts? I daresay you haven't met Edward either, so you probably have him set as unknown or marginal trust in key verification, that would then leave Bradley as marginal at best. If you sign Kai's key, that would promote Edward Betts to full trust, putting Bradley at marginal. If you want to fully trust Bradley's key, you'd either need to sign one of the five intermediary keys, Martin Michlmayr, Steve McIntyre, Dave Swegen or Ian Jackson or sign Bradley's key direct. Alternatively, you might be able to find someone who has also signed one of these five keys and you could sign their key. Depending on your GnuPG settings, you might need to do that for two separate routes. If you get along to the Plymouth meeting (plug!), and ask Phil Brooke to sign your key, you may find that strengthens the path as it should increase the validity of Bradley's key via Martin Michlmayr. Getting Kai to sign your key would also be a direct help. Also, do a: $ gpg --update-trustdb If there are keys in your ring that could be marginal/full trust but you haven't edited your trust levels to allow it, gpg will prompt you and allow you to edit the trust in the appropriate key to allow the trust to be made. > Mostly as FSF seem to be having security fun recently, signed MD5 > checksums are going to be required for everything, although I fear we > need more trust to make it effective. Although I can demonstrate to the > FSF satisfaction I am the guy who released the last few versions of GNU > Chess (very complex man in the middle attacks excepted - they'd have to > be able to intercept, and resign mail, ftp and other traffic.), I'm not > sure they can prove I'm Simon Waters.... by their deeds so shall you > know them. > Somehow I use gnupg and don't "trust" Werner Koch, which seems a little > odd to me, I'm sure I "trusted"ed Phil Zimmerman at one point, since if You might trust Werner, but which Werner? I have had 7-8 keys for Werner in my keyring at one time or another and some have recently expired. His key is now unknown trust in my keyring, yet RMS is marginal trust because of various links. Anyone can create a key with Werner's name and email address in the UID. With your signature of Chris Boyle, you should get at least marginal trust in Werner's key once you've signed Phil and Kai's keys. Werner's 0x5B0358A2 key is signed by Bradley Kuhn from your query but as that is a marginally trusted key in my keyring, it doesn't convey much trust on the next key up in the chain. > I didn't trust the person who signed the distro of PGP what was the > point in using the software?! So everyone ought to have a fairly tight > line of trust to the GNUPG developers, and Werner signed Bradley's key. Trusting the person and trusting the key are two separate issues. I'd say I trust Werner Koch but I don't have enough verification to sign his key, despite seeing endless messages from Werner on gnupg-users. > But I figured Debian developers or security related free software > professionals were a safe bet of being one or two hops from Bradley at > most. So I quickly wrote a one line command to pull all the signatories > of a key into my keyring, and worked back along the most promising > lines, my keyring is now bulging at 5000+ keys, kgpg is crawling, and I > still have no chain of trust. Ouch. I'm at only 300. I use the wotsap pictures to cherry-pick which keys are useful and which are red-herrings. It's not a simple click operation as the image doesn't represent the keyid as text so you have to type it by hand from the image, and sometimes only part of the keyid is shown. Still, it's a darned sight faster than importing all the signatories. Kgpg actually runs at a reasonable speed! > > I'm sure I'm missing something. $ gpg --rebuild-keydb-cache $ gpg --check-trust-db $ gpg --update-trust-db And yes, I do wish there was a quicker way of deleting all those keys. I am beginning to wonder if I shouldn't put the important keyID's into a database, delete the entire public keyring and start again. It's the only quick way to delete more than a couple of keys. -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.biglumber.com/x/web?sn=Neil+Williams
Attachment:
pgp00005.pgp
Description: signature