KeyValidity is an OpenPGPConcept that relates to the ownership of keys.
Conceptually a key is valid if it is actually owned by the person who it purports to be owned by. Determining KeyValidity can be a complicated process and is usually expressed as ValidityTrust.
- ValidityTrust is used to describe the trust that a key is valid, a person may gain ValidityTrust of a key either by personally verifying it via the steps below, or through a CalculatedTrust metric.
- CalculatedTrust is used to describe the trust in a key that a person has not personally verified, it is calculated using the WebOfTrust.
Technically GPG regards a key as valid in a keyring if:
- It is signed directly by the owner of a keyring, OR
- It is signed by enough other key holders, who are in turn trusted by the owner of the key ring (ie. CalculatedTrust).
When calculating trust, the OwnerTrust values are used to verify the validity of the key in question. A key if one of the following is true
- It is signed by a fully trust key (ie. A key you have signed, and whose OwnerTrust you have set to Full), OR
- It is signed by three marginally trusted keys (ie. Keys you have signed, and whose OwnerTrust you have set to Marginal).
The reasoning behind this is that if three, seperate people who you have marginal trust in have come to independent conclusions (after performing the Key Verification steps below), that the key is valid, you can trust it to be valid. And if someone you fully trust has determined a key to be valid, you can trust it as well. The number of fully trusted keys and marginally trusted keys required to determine validity of can be modified in the GPG configuration file.
Key Verification
To personally verify the validity of a key, you need to ensure that the public key belongs to the person who it purports to belong to. The OpenPGP standard purposefully does not define a trust model, or a definitive standard that should be used for determining ownership of a key. It is left up to the user to satisfy themselves that the key is correctly owned before signing it.
A suggested method of verifying the validity of a key is
- Retrieve the public key from a key server, note down the key details (fingerprint, key type, key length and uids)
- Personally meet the owner of the key, they should give you a trusted copy of the key details
- Verify that your copy of the key details matches the trusted copy of the key details given to you by the key owner
- Ask the key owner to show you some identification, it is suggested that two peices of hard to forge photo identification be sighted. You should ensure that the uid(s) on the key match the names on the identification you are shown
- At this point, depending on how anal you are, you may trust the key - if so skip to the end, or you may opt to further verify the uids of the key
- For each user id on the key, send an message containing a token encrypted with the public key under question to each of the user id's on the key
- Ask the key owner to decrypt the message, and tell you the token (this proves they have access to the secret key)
- Once they have performed this task for each user id on the key, you have successfully verified the validity of the key.
Once you have verified the validity of a key you should sign it (see SigningAKey) to indicate that you trust it's validity. This helps to expand the WebOfTrust and increase the usefulness of the OpenPGP system
Part of CategoryCryptography