--min-cert-level and --auto-check-trustdb

[Nicholas Cole]

Dear list,

Why is changing the --min-cert-level not enough to trigger an update
of the trust-db?  Should it be?

Supposing a scenario in which a user is prepared to accept lower-level
certifications for low value communications, but requires higher level
certifications for others.

At present the user can specify --min-cert-level on the command line,
but the trust database itself will not be updated for the purposes of
listing/editing keys, verifying signatures or encryption.

The user interface can become easily out of sync with the user's
explicit trust model settings.

The only solution is to explicitly order --check-trustdb.

However, this creates further problems and possible security risks,
because there is no guarantee that a temporary change will be reverted
when the user stops specifying the --cert-level on the command line.

I suspect this is little-used feature of gpg.  On the other hand, it
does look like an excellent way for the user to shoot himself in the
foot without even realising it.  (Senario to verify the problem at the
end of this email)

Best wishes,

Nicholas

=================================================================
To verify problem:

1. Sign a key with a level 1 certification
2. Do gpg --min-cert-level=1 --check-db
3. Edit the key you have just signed, or try to encrypt to it, and the
listing will show the uid as trusted EVEN if you do not specify the
low cert level on the command line, and are therefore using the gpg
default --min-cert-level=2.

This is looks a security risk to me.
(problem identified with gpg 1.4.11)