I am learning about the Web of Trust and how to use it. However, I have some issues to fully grasp the concept of Signatory Trust.
What is an easily understandable definition of signatory trust? An example would be very helpful.
Asked
Active
Viewed 344 times
1 Answers
2
Signatory Trust
Signatory trust is used to describe the situation of transitive certifications. Consider Alice signed Bob Alice -> Bob, and also puts owner trust on Bob (owner trust means, Alice puts faith in certification Bob issues). Now, if Bob signs Carol Bob -> Carol (but Alice doesn't), Alice cannot directly verify Carol's key (she didn't certify it herself), but she can build a trust path:
Alice -> Bob -> Carol
Remember that these transient trust steps always require three components, a certification from a trusted and already valid key. PGP/GnuPG use a more advanced trust model with marginal and full trust, but the basic principle is the same.
Trust Categories in the Example
In this situation, we have different kinds of trust:
- trust in identity (Alice is sure about Bob's key ownership, and Bob is sure about Carol's key ownership)
- owner trust: do I trust the key's owner to certify other keys? (Alice trusts Bob's certifications)
- key validity (the German Wikipedia uses "legitimacy" here): Is there a trust path to the other key, based on the first two kinds of trust?
- trust path from Alice to herself is trivial (same for Bob to Bob and Carol to Carol)
- direct trust from Alice to Bob, and Bob to Carol
- signatory trust: transient trust path from Alice to Carol, over Bob's trusted and valid key
- Bob cannot put trust on Alice' key, Carol can neither trust Alice nor Bob (no trust paths)
