Trust signature domain
gnupg at jelmail.com
Wed Jan 18 15:51:02 CET 2017
On 18/01/17 03:03, David Shaw wrote:
> Can you post the actual user IDs of the keys you are testing with (or a similar example.com set) so I can try them as well?
I have written a test shell script to experiment with trust signatures.
The script is at https://git.io/vMXMQ
There are six participants: 'myself', who knows 'introducer' who knows
'alice' and 'blake'. 'blake' knows 'chloe' and 'david'
'introducer' signs 'alice' and trust-signs 'blake', who signs 'chloe'
'myself' trust-signs 'introducer'
I'm working on the belief that:
(a) by trust-signing introducer at level 1, any keys certified by
introducer (i.e. alice and blake) become valid for me.
(b) by trust signing introducer at level 2 I extend (a) so that any keys
certified by a key trust-certified by introducer (blake) also become
valid for me (chloe and david).
(c) by trust signing with a domain restriction I limit the scope of (a)
and (b) but it is not clear to me how this applies.
I think things look ok up to step 9 and point (a) and (b) appear to work
as I expect but (c) doesn't. I'd really appreciate some feedback about
what is happening in:
step 10 (trust level 1 restricted to example.org)
step 14 (trust level 2 restricted to example.org)
step 16 (trust level 2 restricted to example.es)
It would appear that any domain restriction disables trust completely!
My test output is at https://git.io/vMXDa
More information about the Gnupg-users