PGP Trust Levels and Signature Types Explained
Table of Contents
So last time we introduced the basics of how PGP works. This time, we cover something slightly more in-depth: signature types, and trust levels.
To recap, a signature here is referring to a cryptographic signature on a user’s key, showing that you either trust said key, or have verified that the key you signed belongs to the user that it claims.
There’s four different types of signatures you can attach to a particular PGP key, and note that they’re not all separate, you can mix-and-match if you like.
This is the basic signature type, with nothing special attached, except maybe a trust level, but we’ll cover that later.
A trust signature is rarely used, but this is used for trust delegation. When making a trust signature, you are allowed to specify the depth to which it will apply, and this allows the signed key to therefore make trust signatures on your behalf. Trust signatures also impart a de facto trust level on the key to you or anyone who trusts you. This isn’t really used, but if you’re organizing your multiple keys, of have some complex trust system in place in, say, some company or whatnot, it might be useful. For most users, it’s not a thing you’ll be using.
A local signature is a signature that does not leave your device, meaning if you publish the key to a keyserver, any local signatures will not be sent over with it. Reasons for doing this are basically completely up to you, but it is a possibility. You can tag any other signature as “local” to prevent it from being sent when published.
This is one that should really only be used sparingly, since it does break one of the fundamental parts of PGP: if your key is lost or compromised, you can publish a revocation to make everyone else treat it as invalid. A non-revocable signature bypasses this: this signature is always going to be valid, even if the key that made it is not. I see very few reasons to ever do this, but the option does exist, for some reason.
Every key and user ID may be trusted to a certain amount, or not at all. You yourself can mark certain keys as trusted manually, but the majority of trust should come from trusted keys signing other keys, thus creating…. the web of trust.
This is the default trust level, where there is not enough information to discern the trust of a key.
You have explicitly marked a key so that any signatures from it are never trusted, something most commonly used if, say, you know the key holder is compromised, making bag signatures, or not verifying keys before signing them.
Marginal trust means that they’re good, but not too good. For a key to be marked as “trusted,” it will need signatures from three keys you’ve given marginal trust to.
Full trust should be used for keys that, well… you trust. Unlike marginal trust, full trust only requires one signature on a key to mark it as trusted.
Only use with your own keys! Ultimate trust is the highest level of trust, and should only be used for your own keys. Others, if well verified, should be given full trust, and, if you’re not too sure, use marginal trust.
Signature Certification Levels
When you sign a key, with GPG, it requires that you have the option
ask-cert-level enabled to do this, you have an option of assigning a “certification level” to your signature.
This is completely optional and has no real weight to it, unlike signatures and trust levels, this is more of an indicator for anyone looking at the key and your signatures, so they themselves can decide how much faith they put in your signatures.
This is the “prefer not to say” option. Nothing really special here. No indication given. If you didn’t pick an option when signing, or didn’t have the advanced mode turned on to even be asked about this in the first place, this is what your signatures are marked as.
Also called a
Signing someone’s key as
sig1 indicates that you have really not verified that the key is actually theirs.
You may believe it is there but have done no actual verification of such.
Also called a
You ran a few checks to make sure that the key you’re signing belongs to the person identified in it, but nothing too major.
Also called a
You are completely sure that the key you’re signing belongs to the user it says it does, and have verified this with extreme confidence.