How to change trust model

[David Shaw]

On Wed, May 11, 2005 at 10:05:52PM +0200, Per Tunedal Casual wrote:

> now I tried:
> 1. Creating one Root-CA, signing a CA-key by:
> gpg --edit-key keyid
> tsign
> with 2 = I trust fully
> and
>   depth = 2
> 
> 2. Letting a "user key" sign the Root-CA-key with
> ltsign
> with 2 = I trust fully
> and
>   depth = 2
> 
> Result:
> Keys signed by the CA-key are valid for the user.
> 
> Questions:
> Please explain the depth i detail.
> 
> A. Would it be sufficient to choose depth = 1 for both trust
> signatures above?

Yes.  You only have one link betweeen you and the user: you -> CA -> user

Using a depth of 2 here will work, of course, but is overkill.

> B. What happens if a key signed by the CA signs an other key with an
> ordinary exportable signature?

The usual thing happens, because that signature isn't part of the
trust signature chain.  We've already established that the key signed
by the CA is valid, so if you have sufficient ownertrust set, then
this other key would be valid as well.

> C Why choose depth = 2? A scenario?

You -> Big CA -> Little CA -> User

Useful in a company with many subdivisions.  You just sign the master
CA with a depth of 2, the master CA signs the various subdivision keys
with a level of 1, and the subdivision keys sign all the users in
their subdivision.

End result is that all users become valid to you.

Signing someone with a level of 2 or greater gives them *a lot* of
power.  It basically means that not only are they trusted introducers
for you, but they can grant the ability to be trusted introducers for
you to someone else.

David