Documentation of trust model

Peter Lebbing peter at digitalbrains.com
Tue Sep 5 11:00:21 CEST 2017


On 05/09/17 00:58, Mario Castelán Castro wrote:
> Are the trust models “classical” and “pgp” as implemented in GNU PG
> documented anywhere?

The GNU Privacy Handbook has a good explanation of it:
<https://www.gnupg.org/gph/en/manual.html>

That is to say, it explains the Web of Trust. It doesn't seem to even
mention trust signatures.

The difference between "classical" and "pgp" is, as the man page does
say, that "pgp" includes trust signatures.[1] But in practice trust
signatures are only used in such limited settings that these situations
probably have their own prescriptive practices and documentation. At
least, that's what I personally expect. So it's not that useful to
document trust signatures in detail. It could perhaps be wise to mention
this rationale for not explaining them.

> In the manual I can only find this for “pgp”: “This
> is the Web of Trust combined with trust signatures as used in PGP 5.x
> and later. This is the default trust model when creating a new trust
> database.”, which is a very unsatisfactory description.

The man and info pages are more reference manuals than user manuals;
they list all options, but don't explain what is all involved in using
GnuPG in a sane manner in practice.

While there are certainly ways to improve the man and info pages to be
more useful, I think a whole description of how to properly use the Web
of Trust would be out of scope.

HTH,

Peter.

[1] Although it is actually phrased ambiguously: it is not clear whether
the relative clause "as used in PGP 5.x and later" is a restrictive or
non-restrictive relative clause. Is it:

1. The Web of Trust combined with trust signatures, in the manner they
are used in PGP 5.x? So this Web of Trust is a different Web of Trust
than the one of PGP 2.x.

2. The Web of Trust combined with trust signatures, which is a model
that was introduced in PGP 5.x?

It actually is 2: the Web of Trust is the same as in PGP 2.x, but
another trust mechanism was added: trust signatures.

So perhaps the sentence should be rephrased as:

This  is  the Web of Trust combined with trust signatures, which is the
model used in PGP 5.x and later.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170905/2b4887d3/attachment.sig>


More information about the Gnupg-users mailing list