certificate chain depth

Raimar Sandner lists at 404not-found.de
Sat Apr 25 21:46:32 CEST 2009

On Saturday 25 April 2009 20:58:44 david wrote:
> Raimar Sandner wrote:
> > Hello,
> >
> > when gnupg trusts a key as a result of trustdb calculations, I would
> > like to know what the chain depth for the given key is.
> Hi, I don't wish to be over-simplistic, but I had thought that the web
> of trust was a people thing rather than a mathematical model.

> I can appreciate it's difficult to form a web of trust between people
> that you never meet - like me posting here - the idea I thought was to
> develop such networks through people that one knows - or gets to know
> via  shared contacts - shared experiences - common interests and concerns.

Not over-simplistic, you're definitely right about this. The best thing to do 
still is to go out, sign keys and thus establish trust. But as you say that is 
not always possible in a large community.

In the end it is of course a people thing whether you trust a key or not, no 
mathematical model ever can replace your final decision. So there is a big 
difference in gpg saying "fully trusted" and you thinking "fully trusted".

I think _because_ it's a people thing, feedback from gpg about the depth would 
be nice. Say over time I have added a lot of keys to my keyring, assigned 
ownertrust values, and now encounter a signature, gpg saying "Good signature, 
key fully trusted". I would appreciate an option to see at first glance whether 
gpg takes the key as fully trusted because I signed it or because a friend's 
friend signed it, to help me make a final decission.

The web of trust is a great way to establish some amount of trust into new 
keys when you cannot meet the owner. But I think that maybe gpg could help 
differentiate a bit more between keys introduced through the web of trust and 
keys that I have signed personally, for example by showing the depth level.

> What is trust anyway? Common shared values? How does one measure that
> with the depth of signed keys?

I'd rather say "give a hint about trust" than "measure trust" :)


More information about the Gnupg-users mailing list