IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [web-of-trust]

54 questions
37
votes
2 answers

If I sign someone else's key and later decide it was a bad idea, is it possible to un-sign it?

Let's say that I sign someone's key and then later decide that was a bad idea - either it was a bad idea at all, or I should have signed it with a different level of trust. Is it possible, both in a theoretical and also in a practical way, to…
Jason
  • 1,319
  • 10
  • 17
19
votes
2 answers

What is the difference between "full" and "ultimate" trust?

When you trust a GnuPG key, you can choose one of these five options (and I'm assuming the same options exist in other OpenPGP tools): 1 = I don't know or won't say (undefined) 2 = I do NOT trust (never) 3 = I trust marginally 4 = I trust…
IQAndreas
  • 6,557
  • 8
  • 32
  • 51
16
votes
3 answers

What are you saying when you sign a PGP key?

When you sign a PGP/GPG key, what exactly are you saying to everyone who sees your signature? Are you validating the person, or the email address? To explain what I mean, take the following two examples: Validating the person: "I trust that the key…
IQAndreas
  • 6,557
  • 8
  • 32
  • 51
13
votes
2 answers

What is the meaning of GnuPG's --list-sigs output?

gpg --list-sigs gives me somethings like the following (I edited the output only to show the interesting/different rows): pub 2048R/4ACE309C 2016-11-01 uid lala_test2 sig 3 4ACE309C 2016-11-01 lala_test2…
Lilás
  • 339
  • 2
  • 7
11
votes
3 answers

Why don't PGP keyservers enforce double-opt-in?

One thing that I found out when starting using PGP: When I uploaded my keys to the SKS keyserver, the keyserver did not take any action to verify that I am who I claim to be. Since a PGP key contains a email adress, at least, the keyserver could…
sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
11
votes
3 answers

What is the web of trust?

I'm studying network and system security and I came across the phrase "web of trust". From Wikipedia: In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the …
Amanuel Nega
  • 215
  • 1
  • 2
  • 7
8
votes
4 answers

Is the PGP Web of Trust / Keyserver infrastructure permanently broken?

I love the idea of decentralized trust, the web of trust, and the fact that anyone can run their own keyserver and isn't beholden to a centralized point of failure. But does the decentralized "feature" of the web of trust and the keyserver network…
Jason
  • 1,319
  • 10
  • 17
7
votes
1 answer

Help - Somebody stole my OpenPGP key ID, what can I do?

I received a key transition statement because somebody found himself in the exact same situation described here. This issue will target more and more OpenPGP users in future, probably even all of them. Instead of only replying in a private message,…
Jens Erat
  • 23,446
  • 12
  • 72
  • 96
7
votes
1 answer

Utility of multiple signing subkeys when we're restricted to a single encryption subkey in GnuPG (PGP)

As I understand it, GnuPG allows the creation of multiple subkeys, but multiple encryption subkeys are problematic because it's not clear which encryption subkey someone should use when sending a message. As such, by default, when a person sends a…
wyer33
  • 203
  • 1
  • 7
7
votes
1 answer

Is it typical to create both x509 and OpenPGP key pairs?

I'm looking into increasing my use of signed and encrypted "things" - LibreOffice Documents, Off-the-record chat, PDFs, emails, etc. I'm finding that some things only support x509 format-certificates, and others only support OpenPGP…
scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
7
votes
1 answer

Sign GnuPG master key with own X.509 certificate?

Can I use a trusted X.509 digital certificate to facilitate the expansion of my personal web of trust? To be more specific: Can I use my X.509 certificate to sign my personal GnuPG master key? Will recipients be able to use the CA's certificates to…
Matheus Moreira
  • 321
  • 3
  • 16
6
votes
2 answers

Is an anonymity network like Tor viable on top of the GPG web of trust?

The web of trust is a graph where the vertices are GPG users (actually, their keys) and the edges are cross-signatures. If we put issues of owner trust aside and assume that all participants only sign after checking the key fingerprints, I can trust…
Turion
  • 243
  • 1
  • 6
6
votes
3 answers

Why can't PGP/GPG Web-of-Trust be automated?

We heard lots of complaints about hard to use crypto tools, and recent ideas of Google how to fix this. I had another idea about this which seems quite obvious, but couldn't find anything about it on the web. The idea would be to automate the PGP…
werkderk
  • 61
  • 1
6
votes
3 answers

"Web of trust" for self-signed SSL certificates?

SSL certificates, generally speaking, use a "chain of trust" model - a trusted certificate authority (CA) gets proof that a company such as Amazon owns amazon.com and issues an SSL certificate. However, certs can be expensive - and it doesn't make…
Jason
  • 1,319
  • 10
  • 17
5
votes
1 answer

How should I choose a trust model in GnuPG?

GnuPG offers a set of different trust models, but the manual isn't sufficient (for me at least) to figure out which one to use. Ideally, I would like a trust model that accepts the trust I explicitly assign to a key using GnuPG's --edit-key and…
Robert P. Goldman
  • 151
  • 4
1
2 3 4