I know folks on this list are concerned about the future prospects of
the ill-named "Web of Trust" . I wanted to kick off discussion about
one particular corner of it: how to evaluate the "validity" of OpenPGP
certificates for particular names.
Thanks to Justus for coining the term ORCA: OpenPGP Relational
Certificate Authentication. (maybe "Relational" should be "Recursive"
or "Rational"?) I hope this message isn't "squatting" it too much. I'm
happy to use a different term if there is an objection, but i like
having a catchy shorthand, one that *isn't* "WoT".
This e-mail is an attempt to just frame ORCA as a specific problem. I'm
hoping that future messages on this list will try to tackle deeper
definitions, implementation details, and algorithms.
I'm proposing the following problem statement (which i drafted earlier
today on IRC, but has evolved a bit in my mind since then):
- ORCA is interested in authenticating aspects of an OpenPGP
certificate. Concretely, the goal is to determine whether it is
appropriate to associate a given User ID with a particular primary
- ORCA models this problem as a function, where the inputs are:
- set of OpenPGP public keys P,
- set of OpenPGP certifications C,
- a "root trust" mapping T from P → N where N ∈ [0.0,1.0]
- user ID (UTF-8 string) U, and
- primary key K
and the output is a numerical score from 0.0 (meaning "K" is
inappropriate for use in contexts where the User ID is expected to be
"U") to 1.0 (meaning "K" is entirely appropriate for use in contexts
where the user ID is expected to be "U")
I observe that T in the definition above is slightly more flexible than
the "set of root certificates" framing that Neal has been developing.
It's capable of representing that of course (when X is a "root cert",
T[X] = 1.0, else T[X] = 0.0), but could also represent something more
nuanced, like GnuPG's "marginal ownertrust" (whatever that means).
Maybe we want to go with just a "simple set of root certs" definition
for T, but given that GnuPG exists and I think we want to be able to
model its behavior, i lean toward starting with the more flexible
I also observe that N (a float from 0 to 1 that is output by T) has a
remarkably distinct semantics from the output of the function itself.
Maybe it'd be better to declare them with different ranges or different
datatypes somehow to make it clear that you can't just map one to the
Note also that this problem statement deliberately excludes several
things. This is not to say that these things are ruled out or bad, just
that they are *different problems* than the core of ORCA. Hopefully
a clearer understanding of ORCA makes thinking about these other
- From the ORCA primitive function, we can build higher-level functions
like "select the best match for user ID U from this set of OpenPGP
certificates". But this particular framing does not concern itself
with how to build this higher-level functionality.
- ORCA doesn't concern itself with how to *discover* the various
OpenPGP certifications that it uses. It accepts a set of
certifications as input, and works from them.
- This framing doesn't care at all about peripheral information like
encryption-, signing-, or authentication-capable subkeys, algorithm
preference advertising packets, keyserver preferences, etc.
- This framing doesn't even contemplate OpenPGP "Certificates" (or
"Keyblocks" or "TPKs" if you prefer). Rather, it assumes that some
other layer is capable -- given the relevant OpenPGP packets -- of
reassembling the appropriate packets into these higher-level objects.
- This framing treats the User ID as a raw UTF-8 string. This isn't
always how people will want to match or discover User IDs. For
example, many MUAs might deliberately ignore the non-e-mail address
part of a User ID, and just try to evaluate it in that way. This
framing assumes that some sort of translation can be done to map
these "filtered" user IDs onto real User IDs and vice versa, but that
concern is not part of the ORCA model.
- This framing ignores any attempt to evaluate User Attributes or other
OpenPGP-style identity data.
- This framing deliberately rules out the use of any additional
metadata, such as "TOFU" information, Autocrypt state, etc.
- The definition of T precludes applying "root trust" to anyything
other than a pubkey. In particular, you can't apply it to a
<pubkey,User ID> combination. It also precludes offering any more
detailed nuance beyond a single scalar per pubkey for this mapping.
Given the flexibility offered by the OpenPGP regex and "trust
signature" subpackets, and the ability to synthesize new,
privately-held pubkeys which can make new tsigs, i think we don't
need anything more, but please sing out if you think otherwise.
We have at least two known implementations of this function, which are
GnuPG's "pgp" and "classic" trust models. In GnuPG terminology, these
models calculate user ID "validity" based on its ownertrust DB and the
certifications stored in its pubring. GnuPG allows the user to tweak
its settings. These modules are additionally parameterized by GnuPG's
options --completes-needed, --max-cert-depth, and --marginals-needed.
Even given this fairly narrowly-constrained problem space, distinct
implementations, which could provide different results.
What do folks think about this problem statement?
 "Web of Trust" is a disturbing term because it masks and conflates
several of the underlying elements, for example willingness to rely
on a particular key's certifications vs. willingness to use a
particular key for a particular communications peer. It's also
troubling because most people think they know what it means already,
but haven't actually thought through the model in enough detail to
understand their own confusion (i fall into this trap frequently
myself). So using the term "ORCA" instead is a way to "reset"
thinking about this, to allow a distinct framing of the problem.