Documentation of trust model

Damien Goutte-Gattat dgouttegattat at incenp.org
Tue Sep 5 10:58:45 CEST 2017 

Hello,

On 09/05/2017 12:58 AM, Mario Castelán Castro wrote:
> Are the trust models “classical” and “pgp” as implemented in GNU PG 
> documented anywhere?

As far as I know, not really. Certainly not in the OpenPGP RFCs. RFC4880 
and its predecessors never defined any trust model, they only defined 
some “tools” that can be used by a trust model (such as the different 
certification types or the trust signature packet). But the trust models 
themselves are left to the implementors.

I seem to remember that someone on the IETF OpenPGP mailing-list evoked 
the idea of writing a complementary, informational RFC to describe 
routinely used trust models, but I don’t think it has ever been done.

As for the “classic” and “pgp” trust models as used by GnuPG, very  briefly:

In the “classic” trust model, GnuPG determines whether a given 
non-expired, non-revoked OpenPGP public key is valid by looking at the 
signatures (“certifications”) carried by that key. The key is fully 
valid, marginally valid, or of unknown validity depending on the number 
of certifications emitted by trusted keys in the user’s keyring.

The key aspect of the “classic” trust model is that it only determines 
the *validity* of a key. *Ownertrust* (the value associated with a key 
and which indicates if certifications emitted by that key are taken into 
account) is always manually set by the user. (This is something that is 
frequently misunderstood.) A “classic” signature only means something 
like “I certify that this key belongs to its stated owner”.

By contrast, in the “pgp” trust model, users can emit “trust 
signatures”, which carry both validity and ownertrust information. A 
trust signature means “I certify that this key belongs to its stated 
owner *and* I regard its owner as trustworthy.”

To illustrate the difference, let’s consider the following (from the 
point of view of Alice):

a) Alice signs Bob’s key and fully trusts Bob;
b) Bob signs Carol’s key and fully trusts Carol;
c) Carol signs David’s key.

In the “classic” trust model, only Bob’s and Carol’s key are valid 
(Bob’s key because it is signed by Alice’s own key, and Carol’s key 
because it is signed by Bob’s key, which Alice fully trusts). But 
David’s key is of unknown validity because Alice never assigned an 
ownertrust value to Carol’s key. The fact that Bob fully trusts Carol is 
irrelevant; actually, Alice does not even know that Bob fully trusts Carol.

In the “pgp” trust model, and assuming that Alice and Bob emitted trust 
signatures instead of simple signatures (I ignore, for simplicity’s 
sake, the notion of trust depth and the possibility to assign marginal 
ownertrust), Carol’s key has full ownertrust in the eyes of Alice even 
though Alice never explicity assigned an ownertrust value to it. 
Consequently, David’s key is valid.

Obviously there would be much more to describe, but I hope the above 
helps a little bit.

For what it’s worth, I wrote a document attempting to describe more 
thoroughly the various trust models used by GnuPG (including the new 
TOFU models) [1]. Unfortunately, it’s in French. :( I wanted to write an 
English version but never found the time nor the motivation…

Damien

[1] https://incenp.org/dvlpt/docs/confiance-openpgp.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170905/280f2f7d/attachment-0001.sig>

More information about the Gnupg-users mailing list