Why is ~/.gnupg/trustdb.gpg readable by all?

George Sinclair gsinclair@nodc.noaa.gov
Fri Feb 9 00:05:55 2001


Bud,

A web of trust really involved two issues. The first is signing keys
and the second is how much trust you place in the owner (original) of
the signed key to sign other keys (for you) - we're *NOT* talking
about calling them up and asking them to sign a key for you; instead,
GnuPG will automatically do it for you if you've place a certain level 
of trust in that user.

Let's discuss the first issue of signing keys. If you want to build a
web of trust, you have to start at the grass roots level and this
involves adding and signing keys. In other words, start by signing
keys on your keyring that belong to people you know and whose
fingerprints (for the respective key) can be substantiated in the
following manner: 

   If you directly know the person, confirm the fingerprint (another
   cryptographic checksum, e.g tiger, md5, etc., would also work) 
   either by phone, FAX, or possibly some type of encrypted channel
   between you and this person.

If, however, you don't directly know the person, and this is GENERALLY 
the case, (sure, you could e-mail or call them, and introduce
yourself, but how do you know the person you're speaking with isn't
some imposter whose dreamed up some crazy pyramid financial scheme?)
then validating the fingerprint is a bit more involved:

    Confirm the fingerprint as shown above if possible. It's better
    than nothing.

    Next, corroborate the fingerprint. By this, I mean that you should
    contact anyone you directly trust to determine if they know and
    trust this individual. If you trust someone who trusts someone
    else, then it's kind of the "a=b=c" scenario. Get as many
    corroborating witnesses as possible. Maybe if three other people
    you know or trust all swear up and down that the fingerprint for
    this dude is what you show, and he or she isn't currently wanted
    for any crimes against humanity, then I'd say you can now place 
    considerably more credence in this person's key.

    Often a WEB site or other authoritative location (e.g. FTP server) 
    might contain a copy of the fingerprint, or the public key
    itself. The reputation of the site is a *reasonable* indication
    that the information located there is valid. In other words, some
    unknown site that gets few visitors and is being run out of some
    back alley pool hall versus a well known and frequently visited
    site like GNU might be suspect. Of course, bigger does *not*
    always mean better, but use common sense. 

The second aspect of the web of trust involves "trust" itself. Okay,
so you've signed this key BUT how much do you trust this person to
sign other users' keys for you. In order to answer this question, you
must first ask yourself this: Is this individual as mindful and sagacious as
yourself when it comes to adding and signing keys. Do they likewise
carry out the above steps in good faith?!!! Sure, you've established their
authenticity but do you really trust their judgment? Are they
responsible and thoughtful about the procedure. We all have friends
who we don't mind buying something for with our credit card, but do we
trust them to be left alone for the day with our card ---- hmmmm?

Consider the following example in which I indulge myself in an act of
humility: Let's suppose you know me, and you decide to add my public
key (maybe I e-mailed it to you) to your keyring. Next, you
substantiate that this is indeed my key by calling me to confirm the
fingerprint (maybe you check with one of your friends who also has my
key, whatever). You don't do this because you think I'm
malicious. Instead, you do this to ensure that some hacker didn't
intercept the e-mail and change it. Okay, everything makes sense up to 
this point. The next thing is "trust". Perhaps you don't think I
exercise good judgment when it comes to doing things with
GnuPG. Maybe I add every joker to my keyring, choose weak pass-phrases
and I trust every huckster that comes within a mile of me. In this
case, you certainly would *NOT* want to modify the default trust for
my key. Leave it as is. Signing my key just means that you can now
verify things I send you or things I've encrypted. You haven't let the 
fox into the hen house just yet. But let's suppose you're not thinking
and you decide to "trust" me, then you create a problem!!! If I send
you a key, signed by me, that someone sent me, and you then decide to
add it to your key ring then the fact that you have "trusted" me means that the
key that you add will now auto-magically be signed. GnuPG will *NOT*
ask you to sign the key. This is because you have "trusted" me to sign 
other user's keys that I have signed. This makes sense if you trust
the person to do this because then you don't have to confirm "b=c",
just "a=b", so you get "a=c" as the result. In the above example,
however, this would be BAD.

The final thing on trust is this: Add as needed and *only* if needed.

All in all, build you web of trust slowly and never give anyone a
level of trust higher than necessary to do your job. Substantiate
everything within reason.

Hope this helps.

George Sinclair | gsinclair@nodc.noaa.gov

"All roads lead to Rome, but those to Byzantium are the loveliest."