certificate chain depth (technical)

David Shaw dshaw at jabberwocky.com
Sun Apr 26 16:52:25 CEST 2009

On Apr 26, 2009, at 3:54 AM, Raimar Sandner wrote:

> On Sunday 26 April 2009 07:00:52 you wrote:
>> On Apr 25, 2009, at 6:27 PM, Raimar Sandner wrote:
>>> On Saturday 25 April 2009 18:27:44 Raimar Sandner wrote:
>>>> Hello,
>>>> when gnupg trusts a key as a result of trustdb calculations, I
>>>> would like to know what the chain depth for the given key is.
>> The trustdb actually doesn't store per-user ID depth values.
>> Rather, one of the many possible depths is stored for the key as a
>> whole, which is fine for our purposes, but may not give you what
>> you want here.  Take the case of A signs B(uid1), A signs C(uid1),
>> and C signs B(uid2).  B is thus fully valid as per B(uid1) being
>> signed.  But B(uid2) is also valid, and at one level of depth
>> larger than B(uid1).  B as a whole thus lives at both depth 0 and
>> depth 1.  We store this as 1, but I think you'd want it at 0.
> With "we store this as 1", you mean that when B signs D(uid1), uid1
> being the only uid on D, D(uid1) and thus D as a whole is regarded
> to be valid at level 2 (given sufficiant ownertrust of B)?

Not exactly.  The level for a single-uid key is what you'd expect it  
to be naturally.  The question arises when there are two or more uids  
on a key, each becoming valid at a different level.  For a given key,  
we store the highest level that covers all of the valid uids, or put  
another way, the key has the level for the most-distant valid uid.  I  
believe you are looking for the key to have the level of the least- 
distant valid uid.

> I ask that because signatures are made by keys, not by uids. Gpg
> regards a signature to be valid, if and only if there is at least
> one fully valid uid on the signing key, right? Wouldn't it then be
> consistent to regard a key as a whole valid at level n, if it has a
> uid signed by a key which has at least one uid being valid at level
> n-1?

It would be equally as correct as what we do now.  The algorithm  
doesn't need those levels once the trustdb is built.


More information about the Gnupg-users mailing list