1

Lets say I trust person A (whose public key is in a key server) and I want to know if I can also trust person B (pub key is also in a key server).

How can I verify that I have a chain of trust between person A and B? Or better: that can verify if there is a chain from any person that I trust to person B?

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
Lilás
  • 339
  • 2
  • 7

1 Answers1

3

Validating keys means finding a path based on certifications, where all intermediate keys are also valid. This requires valid (there is a trust path to those keys) and trusted (they are considered for validating other keys) intermediate keys, and certifications issued by those keys (which for the edges between the keys).

How can I verify that I have a chain of trust between person A and B?

GnuPG will do this for you: it will calculate the trusted part of your local view on the web of trust based on certifications and configured trust.

Or better: that can verify if there is a chain from any person that I trust to person B?

For the general case, this requires knowledge of the whole OpenPGP web of trust. The PGP pathfinder is a website doing exactly this for you without having to store a local dump of all keys. Using the wotsap software, you can also do this locally, but it is rather involving.

Both applications only list possible trust paths, but these provide support at validating intermediate keys within GnuPG (and issuing trust on the go) until you have been able to validate the target key.

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
  • Thank you for your answer, I didn't know about those tools, thank you for that. Now I have to figure it out how can I see the trust calculation of gpg from my local view. – Lilás Nov 01 '16 at 17:23
  • While not immediately fit for your task, [I discussed GnuPG's output on information to the web of trust some time ago](http://security.stackexchange.com/q/41208/19837). – Jens Erat Nov 01 '16 at 18:33