For each valid key, PGP enables you to specify four trust values that specify how much you trust the key as an introducer. A value of one (1) means that you do not know how much trust to place in the key. Therefore that key is not used to compute validity trust values. A trust value of two (2) means that you do not trust the key as an introducer. When these values are used on a valid key, PGP ignores signatures on other keys made by this one, so these values apply nothing toward the trust in another key.

The trust value of three (3) denotes marginal trust in a key acting as an introducer; a value of four (4) denotes complete trust in a key acting as an introducer. PGP will add together the number of completely trusted signatures and marginally trusted signatures and compare the values to the number of completes and marginals needed to fully trust a key as valid. By default, PGP requires one completely trusted signature or two marginally trusted signatures to validate a key. These numbers can be changed through two configuration file options: COMPLETESNEEDED and MARGINALS_NEEDED.

Make a determination in your own mind whether this key actually
belongs to the person whom you think it belongs to, based on available
evidence. If you think it does, then based on your estimate of
that person’s integrity and competence in key management, answer
the following question:

Would you trust “Derek Atkins <warlord@MIT.EDU>”
to act as an introducer and certify other people’s public keys to you?
(1=I don’t know. 2=No. 3=Usually. 4=Yes, always.) ? 4

Make a determination in your own mind whether this key actually
belongs to the person whom you think it belongs to, based on available
evidence.  If you think it does, then based on your estimate of that
person’s integrity and competence in key management, answer the following
question:

Would you trust “Jeffrey I. Schiller <jis@mit.edu>”
to act as an introducer and certify other people’s public keys to you?
(1=I don’t know. 2=No. 3=Usually. 4=Yes, always.) ? 4

Sometimes users are known personally and they can be trusted to sign keys properly. When this is the case, you can assign a trust value on that key to always sign keys properly. In general, this trust value should be used on keys for which you have validated the owner and when you know the other user to be trustworthy. For example, Ruth could have visited MIT and met both Derek and Jeff. During this meeting, she determined that both are completely trust-worthy and decided that they will always sign keys properly.

Occasionally PGP will ask whether a key can be used as an introducer even when you do not know the owner. In this case, you should choose how much trust you have in the key owner, even though you haven’t met him or her. In general, it is best not to put complete trust in a key of an unknown individual. If Ruth had never met Phil Zimmermann, and if she never had the chance to learn his signing habits, she might only have marginal trust in the key, which she can indicate by choosing the value of trust she wants to place on the key. The next part of this example outlines the trust settings for the individual Ruth has never met:

Make a determination in your own mind whether this key actually
belongs to the person whom you think it belongs to, based on
available evidence. If you think it does, then based on your
estimate of that person’s integrity and competence in key management,
answer the following question:

Would you trust “Philip R. Zimmermann <prz@acm.org>”
to act as an introducer and certify other people’s public keys to you?
(1=I don’t know. 2=No. 3=Usually. 4=Yes, always.) ? 3
Make a determination in your own mind whether this key actually
belongs to the person whom you think it belongs to, based on available
evidence.  If you think it does, then based on your estimate of that
person’s integrity and competence in key management, answer the following
question:

Would you trust “Jeffrey I. Schiller <jis@mit.edu>”
to act as an introducer and certify other people’s public keys to you?
(1=I don’t know. 2=No. 3=Usually. 4=Yes, always.) ? 2

The choices of trust are personal value judgments based both on the key and the key’s owner. Sometimes you may have multiple keys but only one of them would be useful to someone else. In the example you’ve followed in this chapter, Ruth should assign no trust to Jeff’s second key because it is an old key that has been replaced by a new one. Unfortunately, PGP does not inform you that a key is a duplicate of another key with the same name, so you need to be aware of situations that may have multiple keys with the same name on them.