certificate chain depth (technical)
dshaw at jabberwocky.com
Sun Apr 26 16:52:25 CEST 2009
On Apr 26, 2009, at 3:54 AM, Raimar Sandner wrote:
> On Sunday 26 April 2009 07:00:52 you wrote:
>> On Apr 25, 2009, at 6:27 PM, Raimar Sandner wrote:
>>> On Saturday 25 April 2009 18:27:44 Raimar Sandner wrote:
>>>> when gnupg trusts a key as a result of trustdb calculations, I
>>>> would like to know what the chain depth for the given key is.
>> The trustdb actually doesn't store per-user ID depth values.
>> Rather, one of the many possible depths is stored for the key as a
>> whole, which is fine for our purposes, but may not give you what
>> you want here. Take the case of A signs B(uid1), A signs C(uid1),
>> and C signs B(uid2). B is thus fully valid as per B(uid1) being
>> signed. But B(uid2) is also valid, and at one level of depth
>> larger than B(uid1). B as a whole thus lives at both depth 0 and
>> depth 1. We store this as 1, but I think you'd want it at 0.
> With "we store this as 1", you mean that when B signs D(uid1), uid1
> being the only uid on D, D(uid1) and thus D as a whole is regarded
> to be valid at level 2 (given sufficiant ownertrust of B)?
Not exactly. The level for a single-uid key is what you'd expect it
to be naturally. The question arises when there are two or more uids
on a key, each becoming valid at a different level. For a given key,
we store the highest level that covers all of the valid uids, or put
another way, the key has the level for the most-distant valid uid. I
believe you are looking for the key to have the level of the least-
distant valid uid.
> I ask that because signatures are made by keys, not by uids. Gpg
> regards a signature to be valid, if and only if there is at least
> one fully valid uid on the signing key, right? Wouldn't it then be
> consistent to regard a key as a whole valid at level n, if it has a
> uid signed by a key which has at least one uid being valid at level
It would be equally as correct as what we do now. The algorithm
doesn't need those levels once the trustdb is built.
More information about the Gnupg-users