On 8/7/07, Robert J. Hansen <[EMAIL PROTECTED]> wrote: > Problem 1: key signatures. He says he couldn't figure out what he > needed to do with the keys. Did he need to sign them? Trust them? > What's validity and otrust again? Who should be set up as a trusted > introducer? Why wasn't the cursed thing working?! As he said, "I know, > I knew what needed to be done, but even knowing what needed to be done, > I couldn't figure out what needed to be done." Even just talking about > it, months after the fact, he sounded frustrated.
In my experience, this is one of the biggest hurdles. One of PGP's problems from the beginning is that words like "sign" and "valid" have always been used in several different contexts, and then introduced all of them to the user at once. What the (beginner) needs to be told is that, if he wants to tell his software to use a particular key, he should sign (validate / mark as genuine) it. If he is at all unsure about the key he needs to check the Fingerprint with his contact. And that's all. (As an aside: I note that all these social networking sites have a web of trust of sorts, so the concept is not impossible to present to the user in a very straightforward way). Other concepts should be intoduced as features that help larger organisations, not as something that the user needs to understand before he even gets started. The original PGP software also made the mistake of saying this like (I forget the exact wording now) "This is a GOOD signature from an Invalid key", which is just unhelpful to the new user. What it meant to say was "You have not validated the key that signed this message - it may or may not be genuine." Or better words to that effect. Best wishes, N. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
