trust problem

David Shaw dshaw at jabberwocky.com
Tue Dec 30 19:41:07 CET 2003


On Tue, Dec 30, 2003 at 04:54:08PM -0700, Paul E Condon wrote:

> My words that you quote were in response to a post in which the
> writer (Adrian von Bidder) objected to something which I suggested
> as being too complicated for most users. I took his words to mean
> that this objection was his only significant objection to my earlier
> post. He pointed me to some papers by Prof. Ueli Maurer, who had
> worked out a more complex model in a paper entitled "Modeling a
> Public Key Infrastructure". I've learned from that paper that there
> are, indeed, some more complex models. In fact, there seem to be a
> variety of them.
> 
> Is this Prof. Maurer the same person to whom you refer? I get the
> impression from the paper that he thinks there is more missing from
> PGP than cycles.  He calls them, in good academic fashion, something
> like 'directions for future research'.

If I recall, the Modeling a Public Key Infrastructure paper is from
the PGP 2.x era.  When PGP 5 was being developed, the paper was used
to make a new trust model.

> My original remarks should be understood as the comments of a
> student who is learning. "Wouldn't it be better if ...? " I would
> like to read a discussion of the design tradeoffs that went into the
> GPG model, some discussion of why some things are left out
> (e.g. cycles) and why such omissions are acceptable.

There are two main trust models in GnuPG.  First, the "classic", has
user IDs being the item being signed.  A key signs a user ID, thus
expressing the key owner's belief that the user ID is valid.  The user
ID belongs to a key of its own, of course, and that key becomes the
beneficiary of this validity.

The "PGP" model is the one based on Maurer.  The idea is that each
signature has a numeric value embedded in it, and validity is a
function of that value.  So if A signs a user ID on B with 100 points,
and A is fully valid, then B has 100 points.  B can then sign a user
ID on C, but can only use 100 points to do it (if B signs with 200
points, C only gets 100 of them).  By convention, 60 points is
equivalent to the classic trust model's "partial trust", and 120
points is equivalent to "full trust".  The signature can also have the
number of levels the points may travel, and a regular expression to
match user IDs on which the points may travel.  Thus you can make
signatures that say such things as "I sign B's user ID, but I only
trust B enough to make people partially trusted and only for people at
aol.com.  All trust must stop after 2 hops.".  A given key may only be
a member of one chain at a given time.  By convention, the most recent
chain is chosen.

It's sort of loosely based on Maurer's paper, with the changes you see
to accomodate using it alongside the classic trust model.

David



More information about the Gnupg-users mailing list