[ Summary ]
GPG will not allow the user to set the trust of the key independently
of the trust signature, even when Trust Signature is domain-limited.
[ Full Description ]
In the following description:
"Root Key" is a key set as ultimate trust.
"Middle Key" is a key whose UID is signed by "Root Key" with a trust signature
delegating full trust.
[ Middle Key would then sign other keys, but they are not necessary to
demonstrate the bug in question. ]
So - Supposing that "Root Key" signs "Middle Key" with a trust
signature limited to the ".gnupg.invalid" domain.
The user might independently decide to assign "Middle Key" a marginal
trust setting for all keys.
The *expected outcome* here is that within the domain .gnupg.invalid
the key is allowed to sign with "Full Trust" but that in all other
domains it just has marginal trust.
However, the *actual outcome* is that gpg will not let the user assign
anything less than "Full Trust" to this key. Having set Full Trust
the user is not able to change his mind and set the trust level to
anything less than Full Trust, without first setting the trust level
of "Root Key" to something lower.
[ Discussion ]
RFC 4880 does not specify how implementations should handle the interaction
between trust signatures and explicitly specified owner trust levels. However,
since trust signatures are intended for use in corporate and other settings, the
implicit sense of the current gpg implementation that a user should not be able
to override a trust signature is a reasonable one. Moreover, it is inconsistent
for a user to trust Root Key and then not trust the signatures that that key
makes. If there is a problem with signatures that "Root Key" is issuing, that
ought to cause the user to reconsider the trust of that key, not override
individual key trust.
However, gpg should *NOT* prevent the user from specifying the trust of "Middle
Key" for signatures that are not within the domain specified by trust
There is a probable security problem with the current user interface. A valid
trust signature will prevent a user from withdrawing trust from a key, even for
signatures that are not within the domain of the trust signature.
[ Suggestion ]
That GPG should stop trying to second-guess the user and allow the
user to set any trust level on a key. Instead, it could display a
warning that trust signatures present on a key will override a locally assigned
setting. However, it should still allow the user to issue any local setting
he/she wishes, and should honour that setting in for key certifications that are
not within the domain of any trust signatures.