PGP Web of Trust

We discovered that existing tools for looking at the PGP web of trust are not well-suited to answering the question "do I know the person who just e-mailed me, and do I trust this key?". Existing PGP clients only answer this question for keys that already exist in your keychain. Here, we have software (called "sigtrace") that will tell you how you trust a given keyid.

You can fetch the software by cloning the Git repository at git://wot.scripts.mit.edu/firegpg.git or run it out of the "wot" locker on Athena.

The latest data files are available here. We also have a dump of the signature set as ASCII text, if you want to use the data to produce your own software.

Example Usage

(~) athena% add wot (~) athena% sigtrace A86B35C5 Assuming A86B35C5 is omega; using FCEFB697 as alpha Data loaded, tracing.... level:0 keys:1 seconds:0 level:1 keys:25 seconds:0 level:2 keys:566 seconds:0 level:3 keys:6814 seconds:0 level:4 keys:4884 seconds:1 5 hop path:FCEFB697 838DF19C 88C7C1F7 75BE8097 2A960705 A86B35C5 Found trust path of length 6: u FCEFB697 Quentin Smith <quentin@mit.edu> f 838DF19C Anne Christine Spang <spang@mit.edu> - 88C7C1F7 Steve McIntyre <93sam@debian.org> - 75BE8097 Florian Lohoff <flo@owl.de> - 2A960705 H. Peter Anvin <hpa@zytor.com> - A86B35C5 Linus Torvalds <Linus.Torvalds@Helsinki.FI>