Changing & verifying the --max-cert-depth in Windows

erythrocyte firasmr786 at gmail.com
Thu Mar 4 19:14:36 CET 2010 

On 3/4/2010 11:15 PM, Daniel Kahn Gillmor wrote:
> On 03/04/2010 08:18 AM, erythrocyte wrote:
>> And here's the output of the last command:
>>
>>       gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
>>       gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
>>       gpg: next trustdb check due at 2011-03-03
>>
>> It mentions that the --marginals-needed option is set to 3. And
>> --completes-needed option is set to 1. Which I think I'm okay with.
>> But the depth mentioned is 0!
>>
>> Why hasn't it changed? And how do I verify my current --max-cert-depth value?
> 
> I think you're not reading that data the way that it was intended to be
> read.  (this is not your fault, the docs are pretty thin).
> 
> That line says "of the certificates that are depth 0 from you (meaning
> they effectively *are* you), there is exactly one valid OpenPGP cert,
> and it has been granted ultimate ownertrust" -- this is a description of
> *your own key*, actually.  the "signed: 0" bit suggests that your key
> has made no certifications over the userIDs of any other OpenPGP key.
> 
> When i run gpg --check-trustdb, i get an additional line of output:
> 
> 0 dkg at pip:~$ gpg --check-trustdb
> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
> gpg: depth: 0  valid:   1  signed:  83  trust: 0-, 0q, 0n, 0m, 0f, 1u
> gpg: depth: 1  valid:  83  signed: 128  trust: 70-, 1q, 1n, 10m, 1f, 0u
> gpg: next trustdb check due at 2010-03-07
> 0 dkg at pip:~$
> 
> So my first line (depth: 0) looks similar to yours, but points out that
> my key has made certifications over the userIDs of 83 other keys.
> 
> that second line (depth: 1) says:
> 
>   of the certificates that are 1 hop away from you, 83 of them are known
> to be valid (these are the same 83 that i've personally certified).
> none of them have ultimate ownertrust (otherwise that key would be
> listed in the depth: 0 line), one of them has full ownertrust ("1f'), 10
> have marginal ownertrust ("10m"), 1 has explicitly *no* ownertrust
> ("1n"), 70 i've never bothered to state ownertrust ("70-"), and 1 has
> explicitly-stated "undefined" ownertrust ("1q" -- i'm not really sure
> how this is different).
> 
> I'm also not sure what the "signed: 128" suggests in the "depth: 1"
> line.  Surely of all 83 keys i've certified, they have collectively
> issued more than 128 certifications themselves.  maybe someone else can
> explain that bit?
> 
> 
> so, your max-depth is being respected -- you're nowhere near 3 hops away
> from your key.  in fact, it looks like you've issued no ownertrust to
> any key other than yourself, so changing the max depth won't have any
> current effect.
> 

Thanks! That makes perfect sense :) .

> ------------------------
> 
> Here's my understanding:
> 
>  * when you certify the userID of a key, you're saying you believe that
> the real-world entity referred to by the User ID does in fact control
> the secret part of the key.
> 
>  * in particular, you say *nothing* about whether you feel you can rely
> on certifications made by that key.
> 
>  * internally to GPG, you can also assign a level of "ownertrust" to any
> given key -- this tells your OpenPGP toolset how much you you are
> willing to believe certifications made by that key.
> 
>  * Your own key is marked by default as having "ultimate" ownertrust,
> which means that any userID/key combo certified by your key will be
> considered to be valid.
> 
>  * Note that GPG will not apply ownertrust to a key (even if you've
> specified it) unless it already believes that at least one User ID on
> that key is valid.
> 
> 
> 
> So to reach a depth of 2, you'd have to have assigned ownertrust to at
> least one key that you had not personally certified (but was certified
> by other keys in which you've placed ownertrust).  To reach a depth of
> 3, you'd have to have assigned ownertrust to one of the keys that are
> depth 2 from you, etc.
> 
> hope this helps,
> 
> 	--dkg
> 


Thanks for the explanation. I think some bits of this can to be added to
the GnuPG Handbook. The section on web of trusts lacks some much needed
clarity.


Going over what you said, I think I'll be happy with a --max-cert-depth
of 2 :) .

-- 
erythrocyte

More information about the Gnupg-users mailing list