certificate chain depth (technical)

Raimar Sandner lists at 404not-found.de
Sun Apr 26 09:54:07 CEST 2009

On Sunday 26 April 2009 07:00:52 you wrote:
> On Apr 25, 2009, at 6:27 PM, Raimar Sandner wrote:
> > On Saturday 25 April 2009 18:27:44 Raimar Sandner wrote:
> >> Hello,
> >>
> >> when gnupg trusts a key as a result of trustdb calculations, I
> >> would like to know what the chain depth for the given key is.

> The trustdb actually doesn't store per-user ID depth values.
> Rather, one of the many possible depths is stored for the key as a
> whole, which is fine for our purposes, but may not give you what
> you want here.  Take the case of A signs B(uid1), A signs C(uid1),
> and C signs B(uid2).  B is thus fully valid as per B(uid1) being
> signed.  But B(uid2) is also valid, and at one level of depth
> larger than B(uid1).  B as a whole thus lives at both depth 0 and
> depth 1.  We store this as 1, but I think you'd want it at 0.

With "we store this as 1", you mean that when B signs D(uid1), uid1
being the only uid on D, D(uid1) and thus D as a whole is regarded
to be valid at level 2 (given sufficiant ownertrust of B)?

I ask that because signatures are made by keys, not by uids. Gpg
regards a signature to be valid, if and only if there is at least
one fully valid uid on the signing key, right? Wouldn't it then be
consistent to regard a key as a whole valid at level n, if it has a
uid signed by a key which has at least one uid being valid at level

> You can see this in action, and perhaps give you the information
> you want, by doing:
>        gpg -v -v --check-trustdb.

Thank you, that actually helps me a lot. I didn't know the -v -v
switch of --check-trustdb up to now.


More information about the Gnupg-users mailing list