Changing & verifying the --max-cert-depth in Windows

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Mar 4 18:45:44 CET 2010


On 03/04/2010 08:18 AM, erythrocyte wrote:
> And here's the output of the last command:
> 
>       gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
>       gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
>       gpg: next trustdb check due at 2011-03-03
> 
> It mentions that the --marginals-needed option is set to 3. And
> --completes-needed option is set to 1. Which I think I'm okay with.
> But the depth mentioned is 0!
> 
> Why hasn't it changed? And how do I verify my current --max-cert-depth value?

I think you're not reading that data the way that it was intended to be
read.  (this is not your fault, the docs are pretty thin).

That line says "of the certificates that are depth 0 from you (meaning
they effectively *are* you), there is exactly one valid OpenPGP cert,
and it has been granted ultimate ownertrust" -- this is a description of
*your own key*, actually.  the "signed: 0" bit suggests that your key
has made no certifications over the userIDs of any other OpenPGP key.

When i run gpg --check-trustdb, i get an additional line of output:

0 dkg at pip:~$ gpg --check-trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:  83  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:  83  signed: 128  trust: 70-, 1q, 1n, 10m, 1f, 0u
gpg: next trustdb check due at 2010-03-07
0 dkg at pip:~$

So my first line (depth: 0) looks similar to yours, but points out that
my key has made certifications over the userIDs of 83 other keys.

that second line (depth: 1) says:

  of the certificates that are 1 hop away from you, 83 of them are known
to be valid (these are the same 83 that i've personally certified).
none of them have ultimate ownertrust (otherwise that key would be
listed in the depth: 0 line), one of them has full ownertrust ("1f'), 10
have marginal ownertrust ("10m"), 1 has explicitly *no* ownertrust
("1n"), 70 i've never bothered to state ownertrust ("70-"), and 1 has
explicitly-stated "undefined" ownertrust ("1q" -- i'm not really sure
how this is different).

I'm also not sure what the "signed: 128" suggests in the "depth: 1"
line.  Surely of all 83 keys i've certified, they have collectively
issued more than 128 certifications themselves.  maybe someone else can
explain that bit?


so, your max-depth is being respected -- you're nowhere near 3 hops away
from your key.  in fact, it looks like you've issued no ownertrust to
any key other than yourself, so changing the max depth won't have any
current effect.


------------------------

Here's my understanding:

 * when you certify the userID of a key, you're saying you believe that
the real-world entity referred to by the User ID does in fact control
the secret part of the key.

 * in particular, you say *nothing* about whether you feel you can rely
on certifications made by that key.

 * internally to GPG, you can also assign a level of "ownertrust" to any
given key -- this tells your OpenPGP toolset how much you you are
willing to believe certifications made by that key.

 * Your own key is marked by default as having "ultimate" ownertrust,
which means that any userID/key combo certified by your key will be
considered to be valid.

 * Note that GPG will not apply ownertrust to a key (even if you've
specified it) unless it already believes that at least one User ID on
that key is valid.



So to reach a depth of 2, you'd have to have assigned ownertrust to at
least one key that you had not personally certified (but was certified
by other keys in which you've placed ownertrust).  To reach a depth of
3, you'd have to have assigned ownertrust to one of the keys that are
depth 2 from you, etc.

hope this helps,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100304/6a7c7322/attachment-0001.pgp>


More information about the Gnupg-users mailing list