Revoke signature from key

David Shaw dshaw at
Mon Mar 21 23:33:00 CET 2011

On Mar 21, 2011, at 5:17 PM, Daniel Kahn Gillmor wrote:

> For example, consider Bob an admin of the tech support dept. at Example
> Corp.  Bob has his own personal key B, and manages a department key with
> alternate certification semantics, D.
> If Alice works for Example Corp, she might decide to set marginal
> ownertrust on D to increase her WoT into the tech support department.
> But if she knows Bob personally as well, she may want to grant marginal
> ownertrust to B.
> If Alice's trust model says "3 certifications by marginally ownertrusted
> keys -> full key+userid validity" (the gpg default), then Bob's keys now
> have the ability to provide 2/3 of a full certification instead of
> Alice's expected 1/3.  If Bob also happens to manage the department key
> for the Billing department of Example Corp, and Alice applies marginal
> ownertrust to that, then Bob can forge key+userID combinations that will
> be fully accepted by Alice, despite her having never granted him more
> than marginal ownertrust.

I think in this situation, you wouldn't want the classic trust model with Alice setting marginal ownertrust on D.   Rather (and I believe this is the more common use of a CSK), you'd use the CSK as a fully trusted introducer (via trust signatures, and the domain restriction).

So a single trust signature from the Example Corp CSK would cause any key matching xxxx at to become fully valid, but Bob or whoever is the administrator of the key (CSKs are commonly shared keys, requiring a few people to agree on their use) could only forge userIDs within

There is no real web of trust inside using a CSK in this way - the CSK dictates (in a very top-down way), which keys are valid and which, by omission, are not.  This makes sense in the corporate world, as it's not up to Alice to decide which corporate keys are valid.  It *is* up to Alice to decide which keys are valid, of course.


More information about the Gnupg-users mailing list