the "pgp" trust model: the relationship between classic ownertrust designation and trust signatures

David Shaw dshaw at
Sun May 3 04:23:02 CEST 2009

On May 2, 2009, at 11:02 AM, Daniel Kahn Gillmor wrote:

> On 05/02/2009 10:41 AM, David Shaw wrote:
>> On Apr 29, 2009, at 5:29 PM, Daniel Kahn Gillmor wrote:
>>> How does max-cert-depth work in the classic trust model?  I'm  
>>> afraid i
>>> don't understand how a chain of length > 1 can exist in that model.
>>> What am i missing?
>> It's not really a chain in the pgp trust model sense.  Take the  
>> example
>> of a simple row of keys that sign the next key: Alice signs Baker who
>> signs Charlie who signs David who signs Edgar who signs Gloria.   
>> Alice
>> then gives full ownertrust to Baker, Charlie, David, and Edgar.  End
>> result is that Gloria is fully valid, *if* the max-cert-depth is deep
>> enough to cover her, if not, then Edgar's signature has no effect.
> Ah, i see.  So it's measured from the nearest key/uid directly  
> signed by
> an ultimately-trusted key, right?  In the above scenario, if Gloria  
> was
> one hop too many (i.e. if max-cert-depth was 3), were Alice to sign
> Charlie's key/uid in addition to having marked the key with full
> ownertrust, then Gloria's key/uid would have full calculated validity.
> Do i have that right?

If max-cert-depth was 3, then the trusted keys would be Alice (of  
course), Baker, Charlie, and David (i.e. 3 hops from Alice), so Gloria  
would be 2 hops too many.  If Alice were to sign Charlie, Gloria  
wouldn't be trusted as that is 4 hops (Alice -> Charlie -> David ->  
Edgar -> Gloria).  Take your example, and make it max-cert-depth 4,  
instead of 3, and you've got it.

>> It's hard to do that since the two concepts live on the opposite  
>> sides
>> of the key signing "transaction".  The signer picks the trust-sig
>> levels, but the recipient has their own personal choice for
>> max-cert-depth, and each recipient can pick a different one.
>> GPG handles this by letting the signer issue signatures as if
>> max-cert-depth was always infinite ("this is the validity I choose to
>> grant"), but allows the recipient to trim that down to whatever they
>> like ("this is what I will accept").  The default max-cert-depth is  
>> 5.
> OK, i understand the reasoning here.  It still seems to me like it  
> would
> usually be unreasonable for a person whose own max-cert-depth was 5 to
> issue a tsig with depth > 5 (which is why i suggested a warning rather
> than disabling the feature), but i see how it might come in handy in
> some circumstances.
> Thanks for the explanations of these concepts, David.  It's very  
> helpful.

Glad to help!


More information about the Gnupg-devel mailing list