4

Two questions on signatures.

  1. I am trying to understand the various types of "trust signature". The man page says, "For more information please read the sections “Trust Signature” and “Regular Expression” in RFC-4880." Rather than go to the RFC, maybe someone could help with these basics.

    We have these choices when running --edit-key ... tsign:

    1. Trust Marginally
    2. Trust Fully         << Selecting 2. leads to two more choices:
    
    Please enter the depth of this trust signature
    A depth greater than 1 allows the key you are signing to make trust signatures on your behalf.
    
    Please enter a domain to restrict this signature, or enter for none.
    

    a. The choice of Full or Marginal Trust is described in this post on the OpenPGP trust model. I have also read the distinction between Owner Trust and Signature Trust. I am still unclear of the significance of "depth" beyond 2, or how high this might go.

    b. I am also unclear about the notion of a "domain" to restrict signatures. The man page says regarding tsign, "It is generally only useful in distinct communities or groups." Could someone give an example? Outside of this, should trust signatures be ignored?

    c. In answer to a previous question, @jens-erat is saying, "Although trust is a kind of signature on other keys, it does not get distributed when uploading keys to key servers." What then is the distinction between trust signatures and local trust signatures? Are all trust signatures part of my building my personal Web of Trust, or are some shared and exported to keyservers, like the distinctions between various --default-cert-level's?

  2. When might we use a non-revokable signature? (nrsign, tnrsign, lnrsign, etc.)

When cross-signing two keys as I've described here and here, one a master certifying key to be kept offline and the other a master certifying key to be kept on the laptop, I believe I would certify ("sign") each other using --default-cert-level 3 and as fully trusted. I am not clear what depth I should use, though it should be 2 or higher. I am also wondering if one or both of these certifications should be non-revocable to show permanent ownership.

Diagon
  • 283
  • 1
  • 8

1 Answers1

4

There are multiple notions of "trust" in PGP, which I've had to disentagle. Here is what I found ...

The issue we must deal with when considering using a key for communication, is whether that key is "valid". Meaning, does the person controlling the secret part of a key, legitimately own the identities listed on the key - ie. name, email address, jabber address, etc. The keys of people who we know, who we communicate with already and give us their keys directly, are automatically valid. But what of people we don't have this kind of direct contact with, but with whom we want to communicate? We find a key purporting to be from them, perhaps on a keyserver or communicated to us by someone who claims to be or know them. Is it really owned by them ("valid")?

To try to get some handle on this, pgp institutes a system of attestation, called "certification" (colloquially, "signatures"). When I certify a key, using my own, I attest, "Yes, I know this to be a valid key; ie owned by the person whose name is listed and who controls the listed email address." When I find a key that purports to be from someone with whom I want to communicate, I can look at the certifications. Maybe among those signatures is a key owned by someone I know. Or maybe among them there is a key owned by some public personage, who has his own key on his website and is in a position to know the person with whom I want to communicate. By this means, I can try to work out how likely it is that I have a valid key.

PGP attempts to help with this validation procedure in various ways. The first is encoded in the certifications themselves, which are carried along with the key I'm trying to validate. When certifying a key, the "--default-certification-level" can be set to 0 or 1-3. These indicate various levels of certainty by the signing party, in the validity of the key. Level 0 means that no claim is made about how certain we are, while 1, 2, 3 are progressively higher levels of certainty: from basic belief, to extensive verification.

PGP's second means of supporting our attempts at validation, is to operationalize a notion of "owner trust." That is, I have the keys of various friends. I sign those keys as valid, but when it comes to the signatures my friends place on the keys of people that they know (but I do not), I may put in each friend a different belief in their care regarding validation of those keys. Perhaps one friend only signs keys of people they know very well. Perhaps another may meet people at "signing parties," do a perfunctory check of an ID (perhaps checking for that person's control of the key's email address or not), and then agree to sign the key. Among these various friends I have a private notion of how much I trust their diligence. I encode this trust level in a private database that is kept with my pgp certificate ("key") using the --edit-key <fpr> trust command to gpg. I can associate that friend's key with a trust level of "full", "marginal", "untrusted", "unknown". My own key is given "ultimate" trust. This is called "owner trust", a codification of how much I trust the diligence of the owner of the key. Using these values, PGP can then calculate a level of validity (called a "calculated validity" or also, confusingly, a "trust value") for keys that I have not signed, but which may have been signed by others that I know to be valid: eg. my friends or those public personages mentioned before. The parameters used for this calculation are subject to user control (see --trust-model), but typically, any key signed by a fully trusted key is valid and any key signed by three marginally trusted keys is also valid. A key with signatures by less than three marginally trusted keys is "marginally valid", and a key with no signatures has "unknown validity." This is known as the "classical trust model."

Note that this mode of calculating a level of validity / "trust value" interfaces to the first described validation procedure through the option --min-cert-level, defaulting to 2, which discards signatures with certification level below that value (ie. 1 is discarded, but NB: 0 is kept).

The third means of supporting attempts at validation is the system of trust signatures, via --edit-key <fpr> tsign. As opposed to "owner trust", "Trust Signatures" are public certifications that attest to a certain "depth" of trust by the signing party. A trust signature of depth 1 is similar to a standard certification in which I am attesting to the validity of the key. A trust signature of depth 2, on the other hand, announced not only my attestation of validity, but it also makes a proclamation that is equivalent to "full trust" in the "owner trust" model. That is, I am publicly stating that I give validity to any key signed by this key. In the trust signature model, a key with signature of depth 2 is called a "Trusted Introducer." I am accepting the validity of keys at one remove. Offering a trust signature of depth 3 goes beyond the "owner trust" model, publicly declaring that not only do I give full validity to any key signed by this key, but I also fully trust them, giving validity to any key signed by those. ie. I am accepting the validity of keys at two remove. This is called in this system a "Meta-Introducer." Depth can go to any level.

This notion of trust is typically used in organizations for delegation of authority. As such, it is usually associated with a "domain", within which authority is being extended. That domain may typically be a website of a company, and validity would only be conferred by trusted meta/introducers to UID's within that domain. Such signatures can be revocable or non-revocable. They can also be "local." That is, very much like the classical trust model, kept private even when keys are shared. I suppose this is a kind of secret delegation of certifying authority.


Monkeysphere has an excellent reference on OpenPGP Trust Models (on both classic & trust signatures)
But note the error: Trust level 1 actually just means validity. Trust level 2 is "full trust" (in an owner trust system where the signature by one fully trusted key confers validity) aka "Introducer". Trust level 3 means I fully trust anyone that this person fully trusts, aka "Meta-Introducer".

A PGP whitepaper on trust signatures as a more flexible form of certificate authority.

Some discussion about trust signatures from the gnupg e-list:

Questions about trust signatures

The "pgp" trust model: the relationship between classic ownertrust designation and trust signatures

Multiple trust signatures


Regarding my issue of cross-certification of keys mentioned at the end of my question, I see that within a certificate keys are cross signed using --default-cert-level 3. That would probably be sufficient, but to get my trust model to work properly, I would either have to make sure to set each key to "ultimate" trust in the owner-trust model, or use the (offline) master certifying key to give a trust signature of depth 2 to the sub-master certifying key. The latter could give a non-revocable trust signature of the same depth in return. This would be like setting up the master certifying key as a certificate authority (see that PGP whitepaper).

Diagon
  • 283
  • 1
  • 8