Trust Signature and Trust Level Bug

Nicholas Cole nicholas.cole at gmail.com
Fri Aug 12 12:05:28 CEST 2011 

Dear List,

I think I have found two bugs in the way that gpg handles the
interaction between trust signatures and locally assigned owner trust.

I'm using version 1.4.11.  I have not verified on version 2.

To verify:

Create Three Keys

Root Key
(set as ultimate trust)

Middle Key
(Sign the User ID with a Trust Signature - full trust)

[ middle key would then sign other keys, but this is not needed to
explain these bugs]


The bugs all concern the user attempting to set an explicit Trust to
"Middle Key"


Bug 1 (minor):
==========

Just after "Middle Key" has been signed, gpg may allow the user to
change the trust setting of the key to an arbitrary value.

I *think* at some point after this the trust database gets updated,
and attempting to set trust displays the message:

The minimum trust level for this key is: full

The sure way to prompt this is in fact to set the trust level of the
key to a lower level than the trust signature.  gpg seems to accept
the first attempt, but subsequent attempts will fail.

Bug 2 (more serious):
================

GPG will not allow the user to set the trust of the key independently
of the trust signature, even when Trust Signature is domain-limited.

So - Supposing that "Root Key" signs "Middle Key" with a trust
signature limited to the ".gnupg.invalid" domain.

The user might independently decide to assign "Middle Key" a marginal
trust setting for all keys.

The *expected outcome* here is that within the domain .gnupg.invalid
the key is allowed to sign with "Full Trust" but that in all other
domains it just has marginal trust.

However, the *actual outcome* is that gpg will not let the user assign
anything less than "Full Trust" to this key.  Having set Full Trust
the user is not able to change his mind and set the trust level to
anything less than Full Trust, without first setting the trust level
of "Root Key" to something lower.


Suggestion
========

That GPG should stop trying to second-guess the user and allow the
user to set any trust level on a key.  Instead, it could display a
warning that this may be overridden by trust signatures on a key when
calculating the validity of keys within the domain of the trust
signature.


Best wishes,

Nicholas

More information about the Gnupg-devel mailing list