On Wed, Dec 07, 2005 at 02:41:26PM +0100, Gregor Zattler wrote: > Hi David, > * David Shaw <[EMAIL PROTECTED]> [06. Dez. 2005]: > > On Fri, Dec 02, 2005 at 01:10:01PM +0100, Gregor Zattler wrote: > > > * David Shaw <[EMAIL PROTECTED]> [30. Nov. 2005]: > > > > On Wed, Nov 30, 2005 at 08:11:44PM +0100, Gregor Zattler wrote: > > > O.k. it's not very likely that an attacker is able to surround > > > all the people which keys I signed with people deliberately > > > signing wrong keys to trick me. OTOH I can not be certain that > > > Charlie, Nate and George know what they are doing when signing a > > > key. But... > > > > Yes, exactly. 1 hop away is easy, but as you get further and further > > away, you just don't know the people any longer. > > Yes, ... but ... > > > > > GPG will calculate trust for 5 hops along the path, by default. You > > > > can tune this with --max-cert-depth. > > > > > > How then is gpg able to calculate trust paths with more than one > > > hop? > > > > The same way it calculates for one hop: fully valid keys with full > > trust can make other keys fully valid. It doesn't matter if they are > > one hop or 15 hops away, so long as the hop count is less than > > --max-cert-depth. > > Isn't that the same issue as diskussed above? What's your > --max-cert-depth?
I leave it at the default unless I'm testing something (so it is 5). I agree it is the same issue as above, yes. 5 seems like a more or less sane default - big enough to be useful, small enough to not be (too) dangerous. Different people have a different comfort level, of course, which is why the value is changeable. In any event, the cert depth doesn't really change the actual calculations in most cases - most people don't have chains of people they know that are that long. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
