4

I'm reading Cryptography and Network Security Principles and Practices (5th ed, p584) and reading about PGP keyrings, I'm a little confused about the differences between the owner trust field and the signature trust field. I quote:

In turn, each signature has associated with it a signature trust field that indicates the degree to which this PGP user trusts the signer to certify public keys.

and ...

An owner trust field is included that indicates the degree to which this public key is trusted to sign other public-key certificates.

The powerpoint slides I'm reading don't seem to make a clear distinction between the two either:

  • Signature trust field: Measures how far the PGP user trusts the signer to certify public keys. (The key legitimacy field for an entry derives from the signature trust fields.)
  • Owner trust field: Indicates the degree to which this PGP user trusts the key's owner to sign other public-key certificates. PGP doesn't compute this level of trust; the PGP user assigns it. You can think of a signature trust field as a cached copy of the owner trust field from another entry.

Am I correct in saying that the owner trust field is the extent to which I (the keyring owner) trust the public key entry in the table?

Does the signature trust field get set manually by the user?

If I have a public key entry from Bob, and Charlie and David have signed it, would I have two signature trust entries for that key? - And do I have to set these manually? - What if I don't know David, what would the value be?

Crizly
  • 2,597
  • 4
  • 18
  • 29

1 Answers1

5

Owner and Signature Trust

Signature trust means a user puts trust into the identity of another user. If Alice signs (or certifies, which is the term I will use from now on for signing other's keys) Bob's key, she declares (following whatever rules) she puts trust in his identity. These certifications are usually publicly available on the key servers. You can fetch those certifications (by fetching somebody else's key, you automatically also receive all certifications on that key), but for now they're still useless (unless issued by yourself).

Owner trust is only issued by you, and not shared with others. It defines, whether you put trust in somebody else's capabilities of doing proper certifications (ie., Alice checking Bob's ID carefully).

If you take both kinds of trust together, you can validate other's keys, although you never met somebody. Given you know Alice and certified her key (signature trust), her key is valid (you're sure about who she is). Without issuing owner trust to her, her certification on Bob is not considered for validating Bob's key yet. If you also issue owner trust on Alice's key (thus, trusting her decisions on certifying others), her outgoing certifications are also considered; Bob's key is now also valid.

For more details, have a look at What is the exact meaning of this gpg output regarding trust?.

Your Questions

Am I correct in saying that the owner trust field is the extent to which I (the keyring owner) trust the public key entry in the table?

Yes -- and no. It is a part of trust as described above; trust into the key owner's ability to correctly issue certifications.

Does the signature trust field get set manually by the user?

THe other way round: signature trust is issued by anybody and shared on the key servers. Each OpenPGP user has to manually (and on his own) set owner trust.

If I have a public key entry from Bob, and Charlie and David have signed it, would I have two signature trust entries for that key? - And do I have to set these manually? - What if I don't know David, what would the value be?

If the certifications (signatures) have been uploaded to the key servers, you could fetch them by loading Bob's key from the key servers. So no, you don't need to set them manually, nor should you (if you didn't verify Bob's key). You could issue owner trust, though.

If you don't know David (ie., not certified his key), the value wouldn't change, or in better words: David's certification would not change anything, as you probably did not put owner trust on David's key.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96