certificate chain depth

Raimar Sandner lists at 404not-found.de
Sat Apr 25 18:27:44 CEST 2009


when gnupg trusts a key as a result of trustdb calculations, I would
like to know what the chain depth for the given key is.

I know that I can control the maximal acceptable depth with the
max-cert-depth configuration parameter. I would like to keep the
default of 5, but it is still a difference regarding the
trustworthiness of a key if it is frully trusted in, say, third or 
fifth level.

Manually following the trust chains can be annoying, and could also
lead to false conclusions as in the following small example:

Say we have marginals-needed=2, completes-needed=1 and the web of 
trust is

#   me -> A ---------> E
#   |     \---> D ----/
#   \-> B -> C /

with the ownertrust values
A: marginal
D: marginal
C: marginal
B: full

On a first glance one might think as we have the chains me->A->E and
me->A->D->E, that E is fully trusted in third level. But because D
only is trusted in third level (me->B->C->D), E is actually trusted
in fourth level. This rapidly gets more complex with a growing web
of trust.

As of now I can only think of gradually reducing max-cert-depth,
recalculating trustdb and see, if a given key stays fully trusted.
Is there a better way to determin the cert depth? If not, I think
this would be a nice feature to implement.


More information about the Gnupg-users mailing list