Hello, I just tried to check what the "correct" (i.e. established) wording for the difference between successful signature validation and the (trust related) validity of the signing key is.
My guess was "correct signature" vs. "valid signature".
I had a look at the /usr/share/doc/packages/gpg2/DETAILS file. And now I am
confused. It says that both GOODSIG and VALIDSIG refer to the success of the
purely technical signature validation with the public key. So "valid" in the
context of signatures seems to mean something different from "valid" in the
context of keys. Which is not good in general but however.
The I read in that file:
#################################
TRUST_UNDEFINED <error token>
TRUST_NEVER <error token>
TRUST_MARGINAL [0 [<validation_model>]]
TRUST_FULLY [0 [<validation_model>]]
TRUST_ULTIMATE [0 [<validation_model>]]
For good signatures one of these status lines are emitted to
indicate the validity of the key used to create the signature.
#################################
which is coherent to what I wrote above. But at the end of that block it says:
#################################
Note that we use the term "TRUST_" in the status names for
historic reasons; we now speak of validity.
#################################
OMG. Now the term "valid" / "validity" refers to both verification success and
the trust state of the signing key? I guess that is really bad in terms of
understanding. And the whole OpenPGP subject is already hard enough to
understand for new users. I am writing information documents for new users
thus I am very interested in getting this right.
The best explaination for all I know now (and have stated above) is that the
term VALIDSIG simply was quite a bad choice (but impossible to change) and
that "valid" – despite of the exception VALIDSIG – is used for the trust state
both with keys and with signatures. So we have (besides bad and expires
signatures, of course) "good" signatures which can be "valid" signatures. Can
you confirm this?
BTW: It is probably not a GnuPG specific term but I consider "ownertrust" to
be a bad choice, too, because it simply isn't that. The value is key dependant
and may vary between keys with the same owner (due to the key's security level
or the respective key's certification policy).
Hauke
--
☺
PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
http://www.openpgp-schulungen.de/
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
