Trust Signature and Trust Level Bug

Daniel Kahn Gillmor dkg at
Sat Aug 13 04:03:38 CEST 2011

Hi Nicholas--

I'm not on the gnupg team myself, but i've looked at this kind of
situation too.  thanks for your writeup!  notes below...

On 08/12/2011 06:05 AM, Nicholas Cole wrote:
> Bug 1 (minor):
> ==========
> Just after "Middle Key" has been signed, gpg may allow the user to
> change the trust setting of the key to an arbitrary value.
> I *think* at some point after this the trust database gets updated,
> and attempting to set trust displays the message:
> The minimum trust level for this key is: full
> The sure way to prompt this is in fact to set the trust level of the
> key to a lower level than the trust signature.  gpg seems to accept
> the first attempt, but subsequent attempts will fail.

This inconsistency does seem like a bug; i agree with you that it seems

A bigger problem seems to me that there ought to be a way for the user
to explicitly override a trust signature's delegation.  For example, if
the root key says "trust the middle key", and you as a user happen to
know that the middle key has been compromised, you shouldn't have to
wait for the root key to get around to revoking their trust signature.

> Bug 2 (more serious):
> ================
> GPG will not allow the user to set the trust of the key independently
> of the trust signature, even when Trust Signature is domain-limited.

I think this definitely a concern.  Could you open a ticket at to record your observation and any proposed
changes in behavior?

Note that very few people actually use trust signatures to my knowledge;
so these edge cases you're exploring are not likely to bite a large
number of users.

However, i think these edge cases are some of the reasons that trust
signatures are confusing and difficult to work with, which is one of the
reasons no one has bothered to try to use them in any significant public
way yet.  So talking through the potential problems could be quite useful.

> That GPG should stop trying to second-guess the user and allow the
> user to set any trust level on a key.  Instead, it could display a
> warning that this may be overridden by trust signatures on a key when
> calculating the validity of keys within the domain of the trust
> signature.

I think a "this may be overridden" warning is much less useful than an
explicit warning that "your setting has been overridden"; but, more
importantly, i don't think that gpg should be overriding user
preferences that have been explicitly and directly stated.

I'm curious to hear what Werner and David think about these issues.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110812/813262a8/attachment-0001.pgp>

More information about the Gnupg-devel mailing list