multiple keys vs multiple identities

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Sep 24 22:21:10 CEST 2010


On 09/24/2010 02:32 PM, MFPA wrote:
> On Friday 24 September 2010 at 3:00:40 PM, in
> <mid:4C9CAF08.1030306 at fifthhorseman.net>, Daniel Kahn Gillmor wrote:
> Vjaceslavs Klimovs wrote:
>>> It'd be nice if there was a signature notation that
>>> specifies which UID(s) this signature would be valid
>>> for.
> 
>> Unless i'm misunderstanding your suggestion, there is
>> no need for such a notation -- OpenPGP certifications
>> are made over a single User ID and its associated
>> primary key.  If you certify someone's key and they
>> have three User IDs, and you only can vouch for two of
>> them, you should only certify those two.
> 
> I thought that gnupg and other openpgp implementations calculated
> trust without regard to which user IDs had been certified.

"trust" is a different issue than the validity of User IDs, and both are
unrelated to data signatures.

When GnuPG talks about "trust", it's usually referring to the concept of
"ownertrust", which is a value associated with a primary key.
"ownertrust" addresses the question "how much am i willing to rely on
identity certifications made by this key?"

"Validity" is a concept associated with the binding between a User ID
and its public key.  "validity" addresses the question "how much do i
believe that the entity named by the User ID is in fact the entity who
actually controls the secret part of this key?"

Put another way, "validity" addresses the question "does this key really
belong to X?" (where X is the entity referred to by the User ID)

If none of the User IDs on a given key are considered to be valid, then
i believe that GnuPG will refuse to honor any ownertrust set on that key
(unless the key itself is marked with "ultimate" ownertrust).

Note that "ownertrust" says *nothing* about whether a data signature
made by a given key is trustworthy.  By "data signature", i mean a
signature over regular data, either text or binary -- as opposed to an
identity certification made over another User ID and key.  That is, I can:

 * believe that you are who you claim to be, and
 * that the key in use is actually your key, and
 * decline to rely on any other identity certifications you make, and
 * still find it useful to know whether your key signed a given document

These are nuanced concepts, but they're worth understanding.  I hope
someone will correct me if i've made any mistakes in the above.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100924/96641d71/attachment.pgp>


More information about the Gnupg-users mailing list