1

I am learning about the Web of Trust and how to use it. However, I have some issues to fully grasp the concept of Signatory Trust.

What is an easily understandable definition of signatory trust? An example would be very helpful.

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
Jon
  • 513
  • 1
  • 4
  • 11

1 Answers1

2

Signatory Trust

Signatory trust is used to describe the situation of transitive certifications. Consider Alice signed Bob Alice -> Bob, and also puts owner trust on Bob (owner trust means, Alice puts faith in certification Bob issues). Now, if Bob signs Carol Bob -> Carol (but Alice doesn't), Alice cannot directly verify Carol's key (she didn't certify it herself), but she can build a trust path:

Alice -> Bob -> Carol

Remember that these transient trust steps always require three components, a certification from a trusted and already valid key. PGP/GnuPG use a more advanced trust model with marginal and full trust, but the basic principle is the same.

Trust Categories in the Example

In this situation, we have different kinds of trust:

  • trust in identity (Alice is sure about Bob's key ownership, and Bob is sure about Carol's key ownership)
  • owner trust: do I trust the key's owner to certify other keys? (Alice trusts Bob's certifications)
  • key validity (the German Wikipedia uses "legitimacy" here): Is there a trust path to the other key, based on the first two kinds of trust?
    • trust path from Alice to herself is trivial (same for Bob to Bob and Carol to Carol)
    • direct trust from Alice to Bob, and Bob to Carol
    • signatory trust: transient trust path from Alice to Carol, over Bob's trusted and valid key
    • Bob cannot put trust on Alice' key, Carol can neither trust Alice nor Bob (no trust paths)
Jens Erat
  • 23,816
  • 12
  • 75
  • 96