Identity checks and trust
The OpenPGP web of trust is composed of keys linked to each other by two things:
- identity checks: signing a key means that you verified the link between a key with user IDs, an official identity document with a photograph, and a person with a face;
- trust: on your public key ring, you manually decide who you trust to correctly check other people's identity.
With these two pieces of information, GnuPG is able to determine whether or not the key of someone you never met can trusted to belong to its alleged owner.
Signing a key is usually a binary action: either you sign it or you do not sign it. Thus your signature on a key will give other people a rough identity check information and no trust information at all.
In fact, the OpenPGP standard does allow to publish precise identity check and trust information on signatures, but unfortunately this is now enabled with GnuPG by default. These features are called certification level and trust signatures.
To indicate how careful you verified someone's identity, run GnuPG
with the option --ask-cert-level, or add
ask-cert-level to your configuration file
When you make a signature with this option, GnuPG will ask you how carefully you verified the key owner's identity. According to the manpage gpg(1), the available levels are:
- 0: no indication;
- 1: personal belief but no verification, useful for signing pseudonymous IDs;
- 2: casual verification;
- 3: extensive verification.
You can also indicate how much you trust someone, sign his key with
tsign instead of
sign. GnuPG will
then ask you three questions:
- how far you trust him to verify other people's keys: marginally or fully (I personally only fully trust people that were trained or challenged by myself or by people I trust even more)
- how far you allow him to make trust signatures on your behalf: usually answer 1; answering 3 would allow him to issue trust signature with level 2, thus allowing other people to issue trust signatures on your behalf (this features exists to implement pyramidal certification systems, but can be interesting for signing your own keys when you have several);
- if you wish to restrict this signature to a domain: I have no idea of what this means so I give none.
Although certification level and trust signatures are not very widely used, thanks to GnuPG's default settings, it allows to publish more information about your signatures, adding value to the web of trust at no cost, which I believe is a good think. Thus I think it is worth doing it.
If you want to use these features with the
caff wrapper, remember
that it has its own GnuPG configuration
.caff/gnupghome/gpg.conf. In addition it does not implement
trust signatures natively: to use them, you have to abort the automatic
signing, which gives you a GnuPG prompt, where you are then able to
tsign, then exit to return to caff that will consider your
- Wikimedia Commons for Saint Peter's key photograph, GFDL 1.2 licensed.