Hello Newsgroup, or shall I say "breaker 1-9" as Usenet seems to be
about as active as CB radio is these days...

I'm trying to wrap my head around the trust levels.

I get the idea that I can sign someones key which will let people know
that key is more trustworthy, assuming they trust my key.

What I don't understand, and I'm hoping you can help me, is how to
export and import that trust. All the guides I've seen talk about
keyservers, but suppose I don't have access to the keyserver?

Something like:

$ gpg --sign-key [keyid]


$ gpg --export-trustdb-or-something [keyid] >file.cert

Where "file.cert" would, presumably have my key along with the the key I
signed that could then be imported by other people.

There's this: --export-ownertrust

But it's just a text file of fingerprint and my trust levels. Anyone
could create a text file like that and feed it into gpg with new trust
levels. It's not signed, I can't say "import these levels, but only
accept them if they came from someone I trust"

What am I missing?

Thanks to any ghosts of usenet past for answering. :-)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 3/1/22 11:06 PM, joe@raspberry.invalid wrote:

Hello Newsgroup, or shall I say "breaker 1-9" as Usenet seems to be
about as active as CB radio is these days...

There are still some of us active on Usenet. You and I make +2 in this newsgroup. There are other newsgroups that are quite active.

I'm trying to wrap my head around the trust levels.

I'm aware of trust levels, but I don't remember the particulars. I'd
have to go back and re-read pertinent parts of books. Michael W.
Lucas's PGP / GPG book comes to mind.

But it's just a text file of fingerprint and my trust levels. Anyone
could create a text file like that and feed it into gpg with new
trust levels. It's not signed, I can't say "import these levels,
but only accept them if they came from someone I trust"

I really thought that there was more to it. But there's a good chance
that the more to it is actually in the finger print or better described
as the data that we humans don't natively interpret.

I distinctly remember reading something in the aforementioned book
wherein the signed public key was exportable, including your signature,
which the key owner could import to gain your signature. I'd have to
re-read the germane section of the book.

What am I missing?

I don't know what you're missing, but I strongly suspect that there is something missing.

Thanks to any ghosts of usenet past for answering. :-)

<boo type="friendly"/>



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 3/1/2022 10:06 PM, joe@raspberry.invalid wrote:

Hello Newsgroup, or shall I say "breaker 1-9" as Usenet seems to be
about as active as CB radio is these days...

I'm trying to wrap my head around the trust levels.

I get the idea that I can sign someones key which will let people know
that key is more trustworthy, assuming they trust my key.

What I don't understand, and I'm hoping you can help me, is how to
export and import that trust. All the guides I've seen talk about
keyservers, but suppose I don't have access to the keyserver?

Something like:

$ gpg --sign-key [keyid]

$ gpg --export-trustdb-or-something [keyid] >file.cert

Where "file.cert" would, presumably have my key along with the the key I signed that could then be imported by other people.

There's this: --export-ownertrust

But it's just a text file of fingerprint and my trust levels. Anyone
could create a text file like that and feed it into gpg with new trust levels. It's not signed, I can't say "import these levels, but only
accept them if they came from someone I trust"

What am I missing?

Thanks to any ghosts of usenet past for answering. :-)

If you have access to the Internet, then you have access to a number of
public key servers. You sign someone else's PUBLIC key using your own
PRIVATE key. You then upload that PUBLIC key to a key server. (NEVER
upload your own private key.)

Access a key server by using your Web browser. See my <http://www.rossde.com/PGP/pgp_keyserv.html> for a list that includes
links to servers. When you are at the Web site of a server, you should
see a link to search for a public key and a link to upload a public key.

Courtesy requires you to find out if the owner of that public key wants
the signed key to appear on a server. If the owner does indeed want it uploaded, find out which servers the owner prefers. This last thing is important because many servers have stopped synchronizing with other
servers.

--
David E. Ross
"A Message to Those Who Are Not Vaccinated"
See my <http://www.rossde.com/index.html#vaccine>.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Note: much unmarked snippage in quoted text.

In Message-ID:<svn1ha$sic$1@gioia.aioe.org>,
<joe@raspberry.invalid> wrote:

I'm trying to wrap my head around the trust levels.

I get the idea that I can sign someones key which will let people know
that key is more trustworthy, assuming they trust my key.

What I don't understand, and I'm hoping you can help me, is how to
export and import that trust.

Something like:

$ gpg --sign-key [keyid]

$ gpg --export-trustdb-or-something [keyid] >file.cert

Where "file.cert" would, presumably have my key along with the the key I >signed that could then be imported by other people.

What am I missing?

It's been a long time, but I think this is correct. If not, I'm sure
that Cunningham's law will prevail.

For ease of writing, I'll assume that [keyid] belongs to Alice's key.

Your command "gpg --sign-key [keyid]" alters Alice's key in your
keyring to show that you've signed it. If you export her key and send
it to Bob, it will show that your key signed it. If Bob already has
your key (and he trusts you), he'll trust Alice's key.

Better yet, though, is to send your signed version of Alice's key
back to Alice. When she imports it, your signature will be added to
all of the other signatures she already has. Thus, when she sends it
to Bob, it'll have all of the signatures she's reaped.

Note that if Bob doesn't already have your key, he has to get it.
That could be directly from you, from Alice, or wherever. Your key
should have as many signers as possible so that Bob can trust that
it's actually yours. Otherwise, he needs to find some other way to
verify it. For instance, if he knows you, you can meet, call, or text
and exchange your key's fingerprint.

And, of course, you get signers by having people sign your key and
sending it back to you.

--
Arthur T. - ar23hur "at" pobox "dot" com

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 02 Mar 2022 01:06:37 -0500, <joe@raspberry.invalid> wrote:

Hello Newsgroup, or shall I say "breaker 1-9" as Usenet seems to be
about as active as CB radio is these days...

:-)

I'm trying to wrap my head around the trust levels.

Others have answered the specific question. Just wanted to point out there is https://www.gnupg.org/faq/gnupg-faq.html that has a lot of info too.

Regards, Dave Hodgins

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

On Wed, 02 Mar 2022 01:06:37 -0500, <joe@raspberry.invalid> wrote:

Hello Newsgroup, or shall I say "breaker 1-9" as Usenet seems to be
about as active as CB radio is these days...

:-)

I'm trying to wrap my head around the trust levels.

Others have answered the specific question. Just wanted to point out there is https://www.gnupg.org/faq/gnupg-faq.html that has a lot of info too.

I am really impressed anyone answered at all!

I do have the gpg info files installed, there's a zillion pages out
there filled with information about PGP, but not much about how the web
of trust works, or at least, none that I found (perhaps because it was
buried under the 500,000 pages offering helpful advice on how to setup
PGP)

I was using the gnupgp module from python would be easier, but I'm
starting to get the impression it would be better to just write the
methods I need and invoke the binary myself.

Thank you to everyone who replied. It makes my day that people are still
using usenet. I have a lot of fond memories of it, from back in the
golden days.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 02 Mar 2022 23:44:19 -0500, <joe@example.invalid> wrote:

David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

On Wed, 02 Mar 2022 01:06:37 -0500, <joe@raspberry.invalid> wrote:

Hello Newsgroup, or shall I say "breaker 1-9" as Usenet seems to be
about as active as CB radio is these days...

:-)

I'm trying to wrap my head around the trust levels.

Others have answered the specific question. Just wanted to point out there is
https://www.gnupg.org/faq/gnupg-faq.html that has a lot of info too.

I am really impressed anyone answered at all!

I do have the gpg info files installed, there's a zillion pages out
there filled with information about PGP, but not much about how the web
of trust works, or at least, none that I found (perhaps because it was
buried under the 500,000 pages offering helpful advice on how to setup
PGP)

See https://www.rossde.com/PGP/pgp_signatures.html#keys

Note that thunderbird can generate it's own keys for encryption, but doesn't use
the web of trust like gpg/pgp.

Regards, Dave Hodgins

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)