the "pgp" trust model: the relationship between classic ownertrust designation and trust signatures

Daniel Kahn Gillmor dkg at
Wed Apr 29 23:29:18 CEST 2009

On 04/29/2009 05:21 PM, David Shaw wrote:
> An (implied) infinite trust
> signature from Alice on Baker would be a fairly dangerous thing.  It
> gives Baker vastly more power than he would have in the classic trust
> model.  In classic, he could just sign one level down from himself.  In
> pgp, he could make introducers of introducers of introducers, down to
> whatever level he wanted.  For safety, it's best to require Alice to
> explicitly grant that kind of power.

This reasoning makes a lot of sense, and i'm glad that gnupg implements
it this way now that it's been explained to me. :P

>> Does --max-cert-depth have any meaning outside of the "pgp" trust model
>> for gpg?  If not, why do we need it as an explicitly separate value,
>> since each trust signature made by the ultimately-trusted key would
>> imply a more-specific cert-depth limit anyway?
> --max-cert-depth is used in both the classic and pgp trust models. 

How does max-cert-depth work in the classic trust model?  I'm afraid i
don't understand how a chain of length > 1 can exist in that model.
What am i missing?

> You are right that a "pure" trust
> model does imply a --max-cert-depth of infinity.  It's just that we
> don't live in a pure world.

Should there be warnings, then, when issuing a trust-sig with a level
greater than max-cert-depth?  Or should you need to have --expert
enabled to do so?  There's no current indication that creating such a
signature won't have the intended effect.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090429/35e4d96b/attachment.pgp>

More information about the Gnupg-devel mailing list