That's an excellent question! Beyond [ultimate] and [unknown], GPG's "Web of Trust" model uses several other trust levels to indicate how much you, or others, trust a public key. These levels help you decide whether to use a key for encrypting sensitive information or verifying signatures.
Here are the common trust levels you might encounter:
- [ultimate]: This means you have explicitly and fully trusted this key. You believe this key genuinely belongs to the person it claims to belong to, and you trust this person to properly sign other keys (i.e., they only sign keys they have verified). This is usually assigned to your own private key(s) and any public keys you have personally verified and signed.
- [fully trusted]: This key is trusted because it has been signed by a sufficient number of keys that you ultimately or fully trust. GPG calculates this trust based on your "trust depth" and "trust amount" settings. Essentially, if you trust a key, and that key trusts another key, then the second key gains some level of trust from you.
- [marginally trusted]: Similar to
[fully trusted], but it means the key has been signed by a sufficient number of keys that you marginally trust, or fewer keys from those you fully trust. It's a lower level of calculated trust. - [unknown]: This is the default trust level for newly imported public keys. GPG doesn't know anything about the authenticity of this key until you (or someone you trust) explicitly signs it.
- [not trusted]: This explicitly indicates that you do not trust this key. You might set this if you have reason to believe the key is compromised or belongs to someone else.
The ultimate trust level for your own key is automatically set by GPG when you create it. For other keys, you explicitly set their trust level by signing them, as you did for Alice's key in this step. The other trust levels (fully trusted, marginally trusted) are typically calculated by GPG based on the signatures present on a key and the trust you've assigned to the signers of that key.
Do you have any more questions about the GPG Web of Trust, or how these levels influence key usage?
