certificate chain depth (technical)
Raimar Sandner
lists at 404not-found.de
Sun Apr 26 09:54:07 CEST 2009
On Sunday 26 April 2009 07:00:52 you wrote:
> On Apr 25, 2009, at 6:27 PM, Raimar Sandner wrote:
> > On Saturday 25 April 2009 18:27:44 Raimar Sandner wrote:
> >> Hello,
> >>
> >> when gnupg trusts a key as a result of trustdb calculations, I
> >> would like to know what the chain depth for the given key is.
> The trustdb actually doesn't store per-user ID depth values.
> Rather, one of the many possible depths is stored for the key as a
> whole, which is fine for our purposes, but may not give you what
> you want here. Take the case of A signs B(uid1), A signs C(uid1),
> and C signs B(uid2). B is thus fully valid as per B(uid1) being
> signed. But B(uid2) is also valid, and at one level of depth
> larger than B(uid1). B as a whole thus lives at both depth 0 and
> depth 1. We store this as 1, but I think you'd want it at 0.
With "we store this as 1", you mean that when B signs D(uid1), uid1
being the only uid on D, D(uid1) and thus D as a whole is regarded
to be valid at level 2 (given sufficiant ownertrust of B)?
I ask that because signatures are made by keys, not by uids. Gpg
regards a signature to be valid, if and only if there is at least
one fully valid uid on the signing key, right? Wouldn't it then be
consistent to regard a key as a whole valid at level n, if it has a
uid signed by a key which has at least one uid being valid at level
n-1?
> You can see this in action, and perhaps give you the information
> you want, by doing:
>
> gpg -v -v --check-trustdb.
Thank you, that actually helps me a lot. I didn't know the -v -v
switch of --check-trustdb up to now.
Raimar
More information about the Gnupg-users
mailing list