Author npcole
Recipients npcole
Date 2011-08-13.10:03:06
[ Summary ]

GPG will not allow the user to set the trust of the key independently
of the trust signature, even when Trust Signature is domain-limited.

[ Full Description ]

In the following description:

"Root Key" is a key set as ultimate trust.

"Middle Key" is a key whose UID is signed by "Root Key" with a trust signature 
delegating full trust.

[ Middle Key would then sign other keys, but they are not necessary to 
demonstrate the bug in question. ] 

So - Supposing that "Root Key" signs "Middle Key" with a trust
signature limited to the ".gnupg.invalid" domain.

The user might independently decide to assign "Middle Key" a marginal
trust setting for all keys.

The *expected outcome* here is that within the domain .gnupg.invalid
the key is allowed to sign with "Full Trust" but that in all other
domains it just has marginal trust.

However, the *actual outcome* is that gpg will not let the user assign
anything less than "Full Trust" to this key.  Having set Full Trust
the user is not able to change his mind and set the trust level to
anything less than Full Trust, without first setting the trust level
of "Root Key" to something lower.

[ Discussion ]

RFC 4880 does not specify how implementations should handle the interaction 
between trust signatures and explicitly specified owner trust levels. However, 
since trust signatures are intended for use in corporate and other settings, the 
implicit sense of the current gpg implementation that a user should not be able 
to override a trust signature is a reasonable one.  Moreover, it is inconsistent 
for a user to trust Root Key and then not trust the signatures that that key 
makes.  If there is a problem with signatures that "Root Key" is issuing, that 
ought to cause the user to reconsider the trust of that key, not override 
individual key trust.  

However, gpg should *NOT* prevent the user from specifying the trust of "Middle 
Key" for signatures that are not within the domain specified by trust 

There is a probable security problem with the current user interface.  A valid 
trust signature will prevent a user from withdrawing trust from a key, even for 
signatures that are not within the domain of the trust signature.

[ Suggestion ]

That GPG should stop trying to second-guess the user and allow the
user to set any trust level on a key.  Instead, it could display a
warning that trust signatures present on a key will override a locally assigned 
setting.  However, it should still allow the user to issue any local setting 
he/she wishes, and should honour that setting in for key certifications that are 
not within the domain of any trust signatures.
Date User Action Args
2011-08-13 10:03:06npcolesetrecipients: + npcole
2011-08-13 10:03:06npcolesetmessageid: <>
2011-08-13 10:03:06npcolelinkissue1361 messages
2011-08-13 10:03:06npcolecreate