PGP & Vectors of Trust?

[ChristopherA]

/re PGP-Paradigm.pdf #569b5a4 /cc @joncallas

One thing that I've always wanted with PGP was when I signed someone's key was that I could notate more the quality and effort of my validity assertion. For instance, vector of trust-like assertion about:

• My personal knowledge of the identity of the person (say P0 is familiar stranger P3 is new associate and P5 is a long-term associate]
• The nature of the validity check [V0 key server V3 phone or other out-of-band simultaneous connection V5 in-person exchange of hash and mutual exchange of signatures]

etc. Why didn't some type of these type of assertions evolve in the PGP ecosystem? Was it purely a matter of it being too UX complex for the expected average user? Or an issue of validity vs trust? Or am I missing something?

[joncallas]

They exist. Section 5.2.1 of RFC 4880. At one time during the discussions of transition from 2440 to 4880, we were looking at removing them, and they got put back in because people wanted them.

I don't think they're used not only because of UX — GnuPG implements just about everything so it would be trivial to do, it's more that no one knows what they mean. That's the reason we were looking at removing them in the first place.

Here's what 4880 says:

0x10: Generic certification of a User ID and Public-Key packet.
   The issuer of this certification does not make any particular
   assertion as to how well the certifier has checked that the owner
   of the key is in fact the person described by the User ID.

 0x11: Persona certification of a User ID and Public-Key packet.
   The issuer of this certification has not done any verification of
   the claim that the owner of this key is the User ID specified.

 0x12: Casual certification of a User ID and Public-Key packet.
   The issuer of this certification has done some casual
   verification of the claim of identity.

 0x13: Positive certification of a User ID and Public-Key packet.
   The issuer of this certification has done substantial
   verification of the claim of identity.

   Most OpenPGP implementations make their "key signatures" as 0x10
   certifications.  Some implementations can issue 0x11-0x13
   certifications, but few differentiate between the types.

What is the difference between a personal certification and a casual certification? What would "substantial verification" be? Personally, one of the things that I dislike about the PGP culture is how surly it is to nyms and personae, to begin with, and is one of the reasons I don't like key signing parties.

[jimscarver]

FreeTrust.org begins with dimensions of identity, presence, security and privacy for which we would have assertions and proofs. Trust is subjective and personal trust,of signer weights trust in assertion.

I love the Vectors of Trust standard! but we must support them all since anyone might trust something different and nobody knows what the standard will be tomorrow.

It is wonderful to find a group so far along in this area. :-)