the "pgp" trust model: the relationship between classic ownertrust designation and trust signatures
David Shaw
dshaw at jabberwocky.com
Sun May 3 04:23:02 CEST 2009
On May 2, 2009, at 11:02 AM, Daniel Kahn Gillmor wrote:
> On 05/02/2009 10:41 AM, David Shaw wrote:
>> On Apr 29, 2009, at 5:29 PM, Daniel Kahn Gillmor wrote:
>>> How does max-cert-depth work in the classic trust model? I'm
>>> afraid i
>>> don't understand how a chain of length > 1 can exist in that model.
>>> What am i missing?
>>
>> It's not really a chain in the pgp trust model sense. Take the
>> example
>> of a simple row of keys that sign the next key: Alice signs Baker who
>> signs Charlie who signs David who signs Edgar who signs Gloria.
>> Alice
>> then gives full ownertrust to Baker, Charlie, David, and Edgar. End
>> result is that Gloria is fully valid, *if* the max-cert-depth is deep
>> enough to cover her, if not, then Edgar's signature has no effect.
>
> Ah, i see. So it's measured from the nearest key/uid directly
> signed by
> an ultimately-trusted key, right? In the above scenario, if Gloria
> was
> one hop too many (i.e. if max-cert-depth was 3), were Alice to sign
> Charlie's key/uid in addition to having marked the key with full
> ownertrust, then Gloria's key/uid would have full calculated validity.
> Do i have that right?
If max-cert-depth was 3, then the trusted keys would be Alice (of
course), Baker, Charlie, and David (i.e. 3 hops from Alice), so Gloria
would be 2 hops too many. If Alice were to sign Charlie, Gloria
wouldn't be trusted as that is 4 hops (Alice -> Charlie -> David ->
Edgar -> Gloria). Take your example, and make it max-cert-depth 4,
instead of 3, and you've got it.
>> It's hard to do that since the two concepts live on the opposite
>> sides
>> of the key signing "transaction". The signer picks the trust-sig
>> levels, but the recipient has their own personal choice for
>> max-cert-depth, and each recipient can pick a different one.
>>
>> GPG handles this by letting the signer issue signatures as if
>> max-cert-depth was always infinite ("this is the validity I choose to
>> grant"), but allows the recipient to trim that down to whatever they
>> like ("this is what I will accept"). The default max-cert-depth is
>> 5.
>
> OK, i understand the reasoning here. It still seems to me like it
> would
> usually be unreasonable for a person whose own max-cert-depth was 5 to
> issue a tsig with depth > 5 (which is why i suggested a warning rather
> than disabling the feature), but i see how it might come in handy in
> some circumstances.
>
> Thanks for the explanations of these concepts, David. It's very
> helpful.
Glad to help!
David
More information about the Gnupg-devel
mailing list