Kate's Comment

Thoughts on British ICT, energy & environment, cloud computing and security from Memset's MD

What do PGP trust levels mean and which should I use?

Following my posts on how to send and receive secure, encrypted emails in Thunderbird with PGP and how to add additional email addresses to your GPG identity, many of the people I’ve been encouraging to use PGP have asked how to decide what level of trust to set for someone’s key.

The definitive guide is here here, a modified excerpt of which is below:

Trust in a key’s owner

In practice trust is subjective. For example, Blake’s key is valid to Alice since she signed it, but she may not trust Blake to properly validate keys that he signs. In that case, she would not take Chloe’s and Dharma’s key as valid based on Blake’s signatures alone. The web of trust model accounts for this by associating with each public key on your keyring an indication of how much you trust the key’s owner. There are four trust levels.


Nothing is known about the owner’s judgment in key signing. Keys on your public keyring that you do not own initially have this trust level.


The owner is known to improperly sign other keys. In other words, you don’t trust them.


The owner understands the implications of key signing and properly validates keys before signing them.

I use this for people that I know remotely; business contacts for example.


The owner has an excellent understanding of key signing, and his signature on a key would be as good as your own.

I use this for people I entirely trust, such as my brother, my work team (but not necessarily members of my staff I do not know well or who have not been with us long) and very close personal friends.


This should only ever be used for your own keys. You are the only person you can trust ultimately!

No comments yet...