Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
How does trust work?
rsb at ostel
Aug 24, 2000, 8:21 AM
Post #1 of 3 (339 views)
Permalink
I don't know if this is the right forum for this but I would like to
start off by thanking the contributors to GNUPG. This program has
been much easier to understand and use than PGP for me.

I have read the documentation for GNUPG and experimented with it a
bit, and I have a good system established for using it as long as I
make sure that no more than one key exists for a given user and I
fully trust those keys.

I am trying to make the next step in the learning process, using the
trust database to simplify the acceptance of new keys. My first
experiment went as follows:

I received a public key from Jim, which he told me was his "auth
key". I verified the fingerprint over the phone, added it to my
keyring, signed it, marked it as fully trusted, and updated the trust
database. The auth key does not expire.

Jim periodically sends me a new "communications key", with the same
UID, and, of course, a different key id. These communications keys
regularly expire, before which time I will receive a new
communications key from Jim. I am to encrypt all messages to Jim with
the current communications key he has sent me. Supposedly, I need
only add his communications key to my keyring and it will be trusted.

As I understand the trust database, a trust path should exist between
my secret key and all of Jim's communications keys, since I have
signed a fully trusted key of his UID. However, when I attempt to
encrypt a message to Jim's communications key, I am always told by GPG
that, in fact, a valid trust path to this key does not exist. This
causes me to take the extra(disconcerting) step of telling GPG that I
know what I'm doing before it will encrypt the key.

Well, I don't know what I'm doing because I obviously don't understand
how to complete a trust path. I know I could sign his communications
keys and manually mark them trusted, but that would be cheating. Can
someone straighten me out here? Is this even a valid application of
the trust database?

TIA - Rich

--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org
Re: How does trust work? [ In reply to ]
m at mbsks
Aug 25, 2000, 12:56 PM
Post #2 of 3 (340 views)
Permalink
Mahlzeit


I experimented once a bit with PGP2. I assume that the trust management
ist the same in GnuPG.

In PGP2 you have following parameters:

Cert_Depth = 2
Completes_Needed = 1
Marginals_Needed = 4

In GnuPG they are called:

completes-needed 1
marginals-needed 3
max-cert-depth 5

The two trust management variables a key has are:

- validity, i.e. if the key is believed to belong to the user in the
user ID. This variable can have the values "valid" and "not valid".
- trust, i.e. if you trust the owner of the key to certify other keys
for you. Trust can have the values "Not trusted/unknown trust",
"marginal trust", "compete trust".

PGP2 starts from an ultimate trusted key, i.e. one for which you have
the secret key. Keys (1. level) which you have signed directly are valid.
It looks then at these keys trust and which keys (2. level) are certified
by them. Each signature from a 1. level key with marginal trust increases
a marginals counter on a 2. level key and each signature from a 1. level
key with complete trust increases a completes counter on a 2. level key.
If either the completes counter reaches the Completes_Needed value or
the marginals counter reaches the Marginals_Needed value this key is
trusted. This is done recursively until Cert_Depth is exceeded. (And
btw. the trust is only set by the user and trust settings from no
valid keys are ignored.)

So for the above PGP2 settings, a key is either valid, when its
completes counter is 1 or above and its marginals counter is 4 or above.
A Cert_Depth of 2 means, that certificates from keys up to level 2
are honoured.


Mahlzeit

endergone Zwiebeltuete

--
PGP: SIG:C379A331 ENC:F47FA83D I LOVE MY PDP-11/34A, M70 and MicroVAXII!
--
Take my mind
All the way
The darkside calls
I shan't resist

--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org
How does trust work? [ In reply to ]
Ralf.Huels at schufa
Aug 27, 2000, 11:12 PM
Post #3 of 3 (339 views)
Permalink
> ID4 - My key
> ID3 - Subkey of Jim's comm-key
> ID2 - Jim's comm-key
> ID1 - Jim's auth-key
> ID0 - Old key of Jim's
> ID-1 - Old key of Jim's
> ID-2 - Subkey of Jim's key with ID0
>
> Note from the last message that I specify the key ID when I
> encrypt, rather than an e-mail address. Since those two keys (ID1
> and ID-1) are different, can you recommend a solution, or a reason
> this is not working?

Sorry, in my last post I confused ID0 with ID2.
ID2 is signed with ID1, which is signed with ID4, so IMO ID2
should be considered valid (-/f).
I really don´t see what´s wrong in your case. If I import a
friend´s key that is signed with my home key which is set to
f/f here at work, the trust of the friend´s key gets set to
-/f automagically.

Sorry, I can´t help you. Try the whole procedure from scratch, maybe?

Tschüß,
Ralf

--
Ralf Hüls Bismarckplatz
KSV Kreditschutz-Vereinigung GmbH 44866 Bochum
Score-Consult Tel. 02327/9114-28
http://www.schufa.de/ Fax. 02327/8 40 27




--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal