more on classic ownertrust and tsig interactions

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Apr 29 21:03:11 CEST 2009


OK, as i'm playing around with this more, i've found what seems to be
disturbing behavior by gnupg's "pgp" trust model in the intersection
between classic ownertrust and trust signatures.

If i use classic ownertrust designation to explicitly say "I DO NOT
Trust" a given key, but then a chain of trust signatures suggests that i
should trust the key, gpg and gpg2 both appear to honor the trust
signature instead of my explicitly-stated preference.

That is:

 * Alice trusts Bob with a level 2 tsig

 * Alice explicitly tells gnupg "I Do Not Trust" certifications made by
Carol via a classic ownertrust designation.

 * Bob trusts Carol with a level 1 tsig

 * Carol certifies David's key/uid.

It seems to me that Alice should *not* have any positive calculated
validity on David's key/uid based only on Carol's signature, because she
told her client explicitly "i do not trust this keyholder".

Instead, gpg ignores her wishes, considers Bob's tsig valid, and
calculates full validity on David's key/uid.

In the case of a conflict between trust signatures and explicitly-set
classical ownertrust, i'd expect GnuPG with the "pgp" trust model to either:

 a) honor the classical ownertrust over the tsigs, or

 b) choose the most conservative (least trusting) interpretation.

Is there a reason that it should do something else?  Does anyone else
consider this a bug?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090429/58d13d81/attachment.pgp>


More information about the Gnupg-devel mailing list