How does trust work?

Matthias Bruestle
Fri, 25 Aug 2000 21:56:50 +0200 (MET DST)


I experimented once a bit with PGP2. I assume that the trust management
ist the same in GnuPG.

In PGP2 you have following parameters:

Cert_Depth = 2
Completes_Needed = 1
Marginals_Needed = 4

In GnuPG they are called:

completes-needed 1
marginals-needed 3
max-cert-depth 5

The two trust management variables a key has are:

- validity, i.e. if the key is believed to belong to the user in the
  user ID. This variable can have the values "valid" and "not valid".
- trust, i.e. if you trust the owner of the key to certify other keys
  for you. Trust can have the values "Not trusted/unknown trust",
  "marginal trust", "compete trust".

PGP2 starts from an ultimate trusted key, i.e. one for which you have
the secret key. Keys (1. level) which you have signed directly are valid.
It looks then at these keys trust and which keys (2. level) are certified
by them. Each signature from a 1. level key with marginal trust increases
a marginals counter on a 2. level key and each signature from a 1. level
key with complete trust increases a completes counter on a 2. level key.
If either the completes counter reaches the Completes_Needed value or
the marginals counter reaches the Marginals_Needed value this key is
trusted. This is done recursively until Cert_Depth is exceeded. (And
btw. the trust is only set by the user and trust settings from no
valid keys are ignored.)

So for the above PGP2 settings, a key is either valid, when its
completes counter is 1 or above and its marginals counter is 4 or above.
A Cert_Depth of 2 means, that certificates from keys up to level 2
are honoured.


endergone Zwiebeltuete

PGP: SIG:C379A331 ENC:F47FA83D      I LOVE MY PDP-11/34A, M70 and MicroVAXII!
Take my mind
All the way
The darkside calls
I shan't resist

Archive is at - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to