Daniel Kahn Gillmor wrote: > On 07/13/2013 05:39 AM, Ximin Luo wrote: >> When we got to the part where we receive an email signed by a key which has >> not >> yet been verified by a trusted key, GPG outputs the familiar phrase >> "UNTRUSTED >> Good signature". Now previously, I didn't think too much of this, since I >> understand the model of PGP. However, the other instructor in the session >> told >> people that in order to make the "UNTRUSTED" go away, you simply set the >> ownertrust to "full" via the Enigmail interface.
The instructor would have made the same wrong recommendation regardless of the interface. That he seemingly did not understand the workings of gpg is unfortunate. The problem I see here is not the tool, but its instruction. >> This is, of course, the ENTIRELY wrong thing to do. What people should do, >> and >> I corrected this later, is (either face-to-face or over a previously verified >> channel) verify each other's fingerprints, and sign each other's keys. Local signatures are also a valid solution to a formal keysigning verification. It depends on the relationship between the two parties. >> But without a technical understanding of PGP, his suggestion was very >> reasonable: >> >> - the interface has a warning about "UNTRUSTED" >> - the interface provides a way to set "trust" (actually ownertrust but it >> doesn't mention the term I guess to "not confuse" the user) >> - doing this makes the previous warning go away >> >> This stems from the concept of "trust" in PGP (= belief that someone else >> signs >> certificates honestly and correctly), which is much more specific than the >> broad concept in English. So one must be careful when using the word "trust" >> in >> the UI, not to mix up the two use cases. >> >> Whilst technically correct, "UNTRUSTED" is not the main point when you are >> verifying signatures. The main point is to ensure the key is verified to >> actually belong to the correct person. So I would suggest rephrasing the >> warning to something like >> >> - "UNVERIFIED Good signature", or >> - "Good signature from an UNVERIFIED KEY" > > I think a change like this is a good idea. If the tool itself can't > clearly separate the concept of "ownertrust" from "verified" or "valid" > keys, then most users will have little chance of sorting out the > distinction themselves. The message is a one line condensation of gpg's output: gpg: Good signature from $First_UID_on_Key gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX "Not certified with a trusted signature" --> untrusted I believe I can say the Enigmail folks do not find a problem with this language. At least that's what we all agreed on some time ago. No amount of hair-splitting over replacing an accurate word with something else deemed to be "more accurate" is going to substitute for proper user education in the first place. > I believe the enigmail authors are already open to patch submissions to > clarify the distinction between ownertrust and validity, fwiw. if one needs to be made. This started from a good signature made by an "untrusted" key. Dragging ownertrust in is IMO a sad conflation. At any rate, if one wishes to do more than keystroke emptily into the ether, may I suggest mailto://enigmail-us...@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net posts from non-subscribers are held for moderation (we try to keep it down to a few hours max) -- John P. Clizbe Inet: John (a) Gingerbear DAWT net SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels"
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
