+ * `5`: `max_cert_depth` (i'm not sure exactly how this is used, though the name is certainly suggestive)
+
+
+## Classic trust model ##
+
+As far as i can tell, the basic trust model is just the `3` and `1`
+from the above description:
+
+ * how many certifications from keys with marginal ownertrust are
+ needed to grant full validity to a User ID on a key?
+
+ * how many certifications from keys with full ownertrust are needed
+ to grant full validity for a User ID on a key?
+
+If either of these are satisfied, the User ID is considered to be
+legitimately attached to its key (it is "fully" valid).
+
+If there are no certifications from anyone you trust, the User ID is
+considered to have unknown validity, which basically means "not
+valid".
+
+If there are *some* certifications from people who you trust, but not
+enough to satisfy either condition above, the User ID has "marginal
+validity".
+
+## PGP trust model (Classic trust model + trust signatures) ##
+
+Note that so far, your ability to express ownertrust is relatively
+clumsy. You can say "i trust the certifications made by this
+keyholder completely", or "a little bit", or "not at all". And these
+decisions about ownertrust are an entirely private matter. You have
+no formal way to declare it, or to automatically interpret and act on
+others' declarations. There is also no way to limit the scope of this
+ownertrust (e.g. "I trust my co-worker to properly identify anyone in
+our company, but would prefer not to trust him to identify my bank").
+
+[Trust
+signatures](http://tools.ietf.org/html/rfc4880#section-5.2.3.13) are a
+way to address these concerns. With a trust signature, I can announce
+to the world that i think my sister's certifications are legitimate.
+She is a "trusted introducer". If i use "trust level 1", this is
+equivalent to my ownertrust declaration, except that i can now make it
+formally public by publishing the trust signature to any keyserver.
+
+If you trust my judgement in this area ([the
+spec](http://tools.ietf.org/html/rfc4880#section-5.2.3.13) calls my
+role in this scenario a "meta introducer"), then you should be able to
+automatically accept certifications made by my sister by creating a
+level 2 trust signature on my key. You can choose whether to publish
+this trust signature or not, but as long as your `gpg` instance knows
+about it, my sister's certifications will be treated as legitimate.
+
+Combining trust signatures with [regular
+expressions](http://tools.ietf.org/html/rfc4880#section-5.2.3.14)
+allows you to scope your trust declarations. So, for example, if you
+work at ExampleCo, you might indicate in a standard level 1 trust
+signature on your co-worker's key that you trust them to identify any
+User ID within the `example.com` domain.
+
+### Problems and Questions with Chained Trust ###
+
+How do partial/marginal ownertrust and chained trust connections
+interact? That is, if:
+
+ * `A` privately grants "marginal" ownertrust for `B`, and
+ * `B` issues a "marginal" trust signature at level 1 for `C`, and
+ * `C` certifies `D`'s User ID and key,
+
+Then what should `A` see as the calculated validity for `D`'s User ID?
+Surely nothing more than "marginal", but if `A` marginally trusts two
+other certifications on `D`, should that add up to full validity?
+
+What if the chain goes out more levels than above? Does "marginal"
+get more attenuated somehow as a chain of marginals gets deeper? And
+how exactly does `max_cert_depth` play into all this?
+
+What about regex-scoped trust signatures of level > 1? Does the
+scoping apply to all dependent trust signatures? Has this sort of
+thing been tested?
+
+
+## "ultimate" ownertrust in GnuPG ##
+
+Note that for a key under your sole control, which you expect to use
+to certify other people's User IDs, you would typically give that key
+"ultimate" ownertrust, which for the purposes of the calculations
+described here is very similar to "full".
+
+The difference appears to be this: If a key with "full" ownertrust
+*but with no valid User IDs* makes a certification, that certification
+will not be considered. But if the certifying key has "ultimate"
+ownertrust, then its certifications *are* considered.
+
+So "full" ownertrust on a key is only meaningful as long as there is a
+trust path to some User ID on that key already. "ultimate" ownertrust
+is meaningful anyway, because presumably you control that key.
+
+## Other references ##