the "pgp" trust model: the relationship between classic ownertrust designation and trust signatures

Sat May 2 16:41:46 CEST 2009

On Apr 29, 2009, at 5:29 PM, Daniel Kahn Gillmor wrote:

> On 04/29/2009 05:21 PM, David Shaw wrote:
>> An (implied) infinite trust
>> signature from Alice on Baker would be a fairly dangerous thing.  It
>> gives Baker vastly more power than he would have in the classic trust
>> model.  In classic, he could just sign one level down from  
>> himself.  In
>> pgp, he could make introducers of introducers of introducers, down to
>> whatever level he wanted.  For safety, it's best to require Alice to
>> explicitly grant that kind of power.
>
> This reasoning makes a lot of sense, and i'm glad that gnupg  
> implements
> it this way now that it's been explained to me. :P
>
>>> Does --max-cert-depth have any meaning outside of the "pgp" trust  
>>> model
>>> for gpg?  If not, why do we need it as an explicitly separate value,
>>> since each trust signature made by the ultimately-trusted key would
>>> imply a more-specific cert-depth limit anyway?
>>
>> --max-cert-depth is used in both the classic and pgp trust models.
>
> How does max-cert-depth work in the classic trust model?  I'm afraid i
> don't understand how a chain of length > 1 can exist in that model.
> What am i missing?

It's not really a chain in the pgp trust model sense.  Take the  
example of a simple row of keys that sign the next key: Alice signs  
Baker who signs Charlie who signs David who signs Edgar who signs  
Gloria.  Alice then gives full ownertrust to Baker, Charlie, David,  
and Edgar.  End result is that Gloria is fully valid, *if* the max- 
cert-depth is deep enough to cover her, if not, then Edgar's signature  
has no effect.

>> You are right that a "pure" trust
>> model does imply a --max-cert-depth of infinity.  It's just that we
>> don't live in a pure world.
>
> Should there be warnings, then, when issuing a trust-sig with a level
> greater than max-cert-depth?  Or should you need to have --expert
> enabled to do so?  There's no current indication that creating such a
> signature won't have the intended effect.

It's hard to do that since the two concepts live on the opposite sides  
of the key signing "transaction".  The signer picks the trust-sig  
levels, but the recipient has their own personal choice for max-cert- 
depth, and each recipient can pick a different one.

GPG handles this by letting the signer issue signatures as if max-cert- 
depth was always infinite ("this is the validity I choose to grant"),  
but allows the recipient to trim that down to whatever they like  
("this is what I will accept").  The default max-cert-depth is 5.

David