trust problem

David Shaw dshaw at jabberwocky.com
Thu Jan 1 12:14:41 CET 2004 

On Thu, Jan 01, 2004 at 01:51:08PM +0100, Ingo Klöcker wrote:
> On Wednesday 31 December 2003 01:41, David Shaw wrote:
> > The "PGP" model is the one based on Maurer.  The idea is that each
> > signature has a numeric value embedded in it, and validity is a
> > function of that value.  So if A signs a user ID on B with 100
> > points, and A is fully valid, then B has 100 points.  B can then sign
> > a user ID on C, but can only use 100 points to do it (if B signs with
> > 200 points, C only gets 100 of them).  By convention, 60 points is
> > equivalent to the classic trust model's "partial trust", and 120
> > points is equivalent to "full trust".  The signature can also have
> > the number of levels the points may travel, and a regular expression
> > to match user IDs on which the points may travel.  Thus you can make
> > signatures that say such things as "I sign B's user ID, but I only
> > trust B enough to make people partially trusted and only for people
> > at aol.com.  All trust must stop after 2 hops.".
> 
> I guess everything after the "[...], but" is not incorporated into the 
> signature but is part of the local trust database. Correct?

No, this is one of the crucial details of trust signatures.  ALL of
the information is incorporated into the signature.  This is both good
and bad - it's nice that the signer can require the recipient to
interpret the information the way the signer wants.  It's perhaps less
than nice to say publically how much you trust people to sign keys
correctly!

> Now I wonder how I can specify "I only trust B enough to make people
> partially trusted and only for people at aol.com". Is it correct
> that the first part "partially trusted" can be achieved by assigning
> "marginal trust" to a key owner (gpg --edit-key trust)? How can I
> assign a regexp?

You do all of it in one step with "tsign".  tsign prompts you for all
the other information, including trust level, maxiumum number of hops,
and domain for the regexp.  tsign is only available in the 1.3.x
branch.

David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 330 bytes
Desc: not available
Url : /pipermail/attachments/20040101/7e1c0967/attachment.bin

More information about the Gnupg-users mailing list