certificate chain depth

David Shaw dshaw at jabberwocky.com
Sun Apr 26 01:10:24 CEST 2009


On Apr 25, 2009, at 6:18 PM, Raimar Sandner wrote:

> On Saturday 25 April 2009 22:00:05 John W. Moore III wrote:
>> Raimar Sandner wrote:
>>> In the end it is of course a people thing whether you trust a key  
>>> or not,
>>> no mathematical model ever can replace your final decision. So  
>>> there is a
>>> big difference in gpg saying "fully trusted" and you thinking "fully
>>> trusted".
>>
>> This is why both Owner Trust & Calculated Trust exist.  One is a
>> mathematical result and the other is a Personal evaluation.
>>
>
> Well, as I understand those two are quite different. The owner trust  
> refers to
> my personal trust in the _owner_ of a key to correctyl sign other  
> keys.

Yes.

> The
> calculated trust refers to the validity of a _key_ (and is of course
> calculated  based on the ownertrust values belonging to the signatures
> attached to this key).

Almost.  The calculated trust actually refers to the validity of a  
given user ID on a given key.  It is possible to have a key with  
multiple user IDs, some of which are calculated to be valid, and some  
of which are not.

> So one is trust in a key (here gpg can give a hint) and
> one is trust in people (here gpg cannot say anything). But they are  
> not trust
> values refering to the same thing, one being my opinion and one gpg's.

Yes.  The terminology can get difficult if the term "trust" is used  
for both.  Many people use the words "trust" (aka owner trust or  
personal trust) and "validity" for these two concepts.

David




More information about the Gnupg-users mailing list