certificate chain depth
lists at 404not-found.de
Sat Apr 25 21:46:32 CEST 2009
On Saturday 25 April 2009 20:58:44 david wrote:
> Raimar Sandner wrote:
> > Hello,
> > when gnupg trusts a key as a result of trustdb calculations, I would
> > like to know what the chain depth for the given key is.
> Hi, I don't wish to be over-simplistic, but I had thought that the web
> of trust was a people thing rather than a mathematical model.
> I can appreciate it's difficult to form a web of trust between people
> that you never meet - like me posting here - the idea I thought was to
> develop such networks through people that one knows - or gets to know
> via shared contacts - shared experiences - common interests and concerns.
Not over-simplistic, you're definitely right about this. The best thing to do
still is to go out, sign keys and thus establish trust. But as you say that is
not always possible in a large community.
In the end it is of course a people thing whether you trust a key or not, no
mathematical model ever can replace your final decision. So there is a big
difference in gpg saying "fully trusted" and you thinking "fully trusted".
I think _because_ it's a people thing, feedback from gpg about the depth would
be nice. Say over time I have added a lot of keys to my keyring, assigned
ownertrust values, and now encounter a signature, gpg saying "Good signature,
key fully trusted". I would appreciate an option to see at first glance whether
gpg takes the key as fully trusted because I signed it or because a friend's
friend signed it, to help me make a final decission.
The web of trust is a great way to establish some amount of trust into new
keys when you cannot meet the owner. But I think that maybe gpg could help
differentiate a bit more between keys introduced through the web of trust and
keys that I have signed personally, for example by showing the depth level.
> What is trust anyway? Common shared values? How does one measure that
> with the depth of signed keys?
I'd rather say "give a hint about trust" than "measure trust" :)
More information about the Gnupg-users