phrase "UNTRUSTED good signature" is dangerously misleading

Ximin Luo infinity0 at gmx.com
Sat Jul 13 11:39:13 CEST 2013


Hello guys,

I was an instructor at the Cryptoparty at London Hackspace a few days ago.
Another instructor was doing email encryption using Enigmail + GPG.

When we got to the part where we receive an email signed by a key which has not
yet been verified by a trusted key, GPG outputs the familiar phrase "UNTRUSTED
Good signature". Now previously, I didn't think too much of this, since I
understand the model of PGP. However, the other instructor in the session told
people that in order to make the "UNTRUSTED" go away, you simply set the
ownertrust to "full" via the Enigmail interface.

This is, of course, the ENTIRELY wrong thing to do. What people should do, and
I corrected this later, is (either face-to-face or over a previously verified
channel) verify each other's fingerprints, and sign each other's keys.

But without a technical understanding of PGP, his suggestion was very reasonable:

- the interface has a warning about "UNTRUSTED"
- the interface provides a way to set "trust" (actually ownertrust but it
doesn't mention the term I guess to "not confuse" the user)
- doing this makes the previous warning go away

This stems from the concept of "trust" in PGP (= belief that someone else signs
certificates honestly and correctly), which is much more specific than the
broad concept in English. So one must be careful when using the word "trust" in
the UI, not to mix up the two use cases.

Whilst technically correct, "UNTRUSTED" is not the main point when you are
verifying signatures. The main point is to ensure the key is verified to
actually belong to the correct person. So I would suggest rephrasing the
warning to something like

- "UNVERIFIED Good signature", or
- "Good signature from an UNVERIFIED KEY"

X

-- 
GPG: 4096R/5FBBDBCE
https://github.com/infinity0
https://bitbucket.org/infinity0
https://launchpad.net/~infinity0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130713/977a0a96/attachment.sig>


More information about the Gnupg-devel mailing list