Support gpg's `--marginals-needed` option
gpg
has several options that control the web of trust calculations:
'--completes-needed N'
Number of completely trusted users to introduce a new key signer
(defaults to 1).
'--marginals-needed N'
Number of marginally trusted users to introduce a new key signer
(defaults to 3)
'--max-cert-depth N'
Maximum depth of a certification chain (default is 5).
--completes-needed
can be set using sq-wot
's --trust-amount
option.
Unfortunately, neither --marginals-needed
nor --max-cert-depth
is implemented.
In practice, I don't think --max-cert-depth
is really needed: sequoia-wot
of trust is sufficiently fast that we don't need to prune the search space in this manner.
--magrinals-needed
controls how the amount parameter is interpreted. 4880 says:
The trust amount is in a range from 0-255, interpreted such that values less than 120 indicate partial trust and values of 120 or greater indicate complete trust. Implementations SHOULD emit values of 60 for partial trust and 120 for complete trust.
When gpg
issues a partially trusted tsig, it looks like this:
Signature Packet, old CTB, 439 bytes
Version: 4
Type: GenericCertification
Pk algo: RSA
Hash algo: SHA512
Hashed area:
Issuer Fingerprint: CE8A1850FB949EC25E17B1EC6D1F82CD714621A2
Signature creation time: 2022-12-05 14:02:08 UTC
Trust signature: level 3 trust 60
Unhashed area:
Issuer: 6D1F82CD714621A2
Digest prefix: 3327
Level: 0 (signature over data)
gpg interprets the trust amount value as follows code:
-
amount >= 120
: fully trusted -
60 <= amount < 120
: partially trusted -
amount < 60
: no trust
sequoia-wot
maps trust amount values to min(amount, 120) / 120
. It should be possible to emulate this behavior by using a CertificationFilter
to map the trust amounts appropriately.