You set the level and limit of trust you have.
PGP has two types of Trust:
Implicit trust is when you sign someone's keys, period. It is usually published on various servers.
Explicit trust means you trust keys the individual signed, to include people you've never met and is PRIVAT.
If A met B and wanted to utilize a PGP suite, they'd have to sign each other's keys (Implicit Trust).
If B met C and signed each other's keys, they have implicit trust. However, A does not implicitly trust C. A would have to trust B to verify C's identity (Explicit Trust).
It matters which implementation you use. Let's say GNUPG:
Found in the GNUPG manual under 'Managing Your Web of Trust'
https://www.gnupg.org/gph/en/manual.html#AEN385
If A is using GNUPG, they would use the --completes-needed and --marginals-needed options, e.g.
gpg --completes-needed 1 --marginals-needed 3
So A doesn't implicitly trust B, C, D in this situation.
What if
- A set completes needed to 1 and marginals needed to 3 and then
Explicitly trusts B
- Then, B signs (Implicitly trusts) C, D and E
- Last, F and G come along
- C, D and E implicitly trust F but not G.
At this point, A implicitly trusts F because C, D and E are marginals in this case.
Last, when you explicitly trust someone, you can choose the level in which you do so by editing the user's key
gpg --edit-key B
Then issuing the trust command
trust
You'll get a prompt on the level of trust you have for that person.
Levels of trust, etc. are all explained in the manual
https://www.gnupg.org/gph/en/manual.html