2

(and really sorry for my english)

I have a question about Web-of-Trust of GPG.

Let's say A and B signed each other's public keys and B and C signed each other's public keys. In this case A can trust to C. But, If C and D signed each other's public keys then can A trust D (even if A didn't meet with C)? What is the level limit of web-of-trust?

yozel
  • 121
  • 2

2 Answers2

2

The default GnuPG trust model allows a maximum length of trust paths of five, which can be configured. From the official documentation:

A key K is considered valid if it meets two conditions:

  1. it is signed by enough valid keys, meaning
    • you have signed it personally,
    • it has been signed by one fully trusted key, or
    • it has been signed by three marginally trusted keys; and
  2. the path of signed keys leading from K back to your own key is five steps or shorter.

I gave further explanation on how validity calculation works in another answer to What is the exact meaning of this gpg output regarding trust?.

Community
  • 1
Jens Erat
  • 23,446
  • 12
  • 72
  • 96
  • Can you provide details and an explanation rather than just a link. Otherwise this post will likely be deleted. – RoraΖ Nov 20 '14 at 12:19
0

You set the level and limit of trust you have.

PGP has two types of Trust:

Implicit trust is when you sign someone's keys, period. It is usually published on various servers.

Explicit trust means you trust keys the individual signed, to include people you've never met and is PRIVAT.

If A met B and wanted to utilize a PGP suite, they'd have to sign each other's keys (Implicit Trust).

If B met C and signed each other's keys, they have implicit trust. However, A does not implicitly trust C. A would have to trust B to verify C's identity (Explicit Trust).

It matters which implementation you use. Let's say GNUPG:

Found in the GNUPG manual under 'Managing Your Web of Trust' https://www.gnupg.org/gph/en/manual.html#AEN385

If A is using GNUPG, they would use the --completes-needed and --marginals-needed options, e.g.

 gpg --completes-needed 1 --marginals-needed 3

So A doesn't implicitly trust B, C, D in this situation.

What if

  • A set completes needed to 1 and marginals needed to 3 and then Explicitly trusts B
  • Then, B signs (Implicitly trusts) C, D and E
  • Last, F and G come along
  • C, D and E implicitly trust F but not G.

At this point, A implicitly trusts F because C, D and E are marginals in this case.

Last, when you explicitly trust someone, you can choose the level in which you do so by editing the user's key

 gpg --edit-key B

Then issuing the trust command

 trust

You'll get a prompt on the level of trust you have for that person.

Levels of trust, etc. are all explained in the manual

https://www.gnupg.org/gph/en/manual.html

grepNstepN
  • 610
  • 4
  • 15