Mullvad VPN gpg key : Should you trust ultimately?

1 Antwort [Letzter Beitrag]
Beigetreten: 02/19/2016

I am currently using Mullvad's VPN service. It strikes me as odd - perhaps even irresponsible - that they advise users to set the gpg trust level at "5 = I trust ultimately". Isn't it bad practice to set the trust level to 5 unless you are 100% sure of the validity of the key and its owner?

Beigetreten: 04/01/2021

Your reservations hold in the usual web of trust situation, where people can trust the key belongs to its legitimate owner because other peers have set a high trust level for it. In that situation, if you want to play the game and help building a robust web of trust, you should choose a trust level that fits your actual trust in the authenticity of the key, in order to help other peers set their own level of trust.

In the case of Mullvad, nobody will check the trust level you set for the key, so it is really only about making your life easier:

"Once you have downloaded the signing key you should set the trust level to "ultimate" so that it can be used to automatically verify all the keys signed by the Mullvad signing key. This step can be skipped, but then a warning will be printed during each file verification saying that the key is not certified with a trusted signature."

In this particular case, setting trust level to ultimate simply allows you to skip a warning that you would most probably choose to ignore anyway.