phrase "UNTRUSTED good signature" is dangerously misleading

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Jul 13 18:36:03 CEST 2013


On 07/13/2013 05:39 AM, Ximin Luo wrote:
> When we got to the part where we receive an email signed by a key which has not
> yet been verified by a trusted key, GPG outputs the familiar phrase "UNTRUSTED
> Good signature". Now previously, I didn't think too much of this, since I
> understand the model of PGP. However, the other instructor in the session told
> people that in order to make the "UNTRUSTED" go away, you simply set the
> ownertrust to "full" via the Enigmail interface.
> 
> This is, of course, the ENTIRELY wrong thing to do. What people should do, and
> I corrected this later, is (either face-to-face or over a previously verified
> channel) verify each other's fingerprints, and sign each other's keys.

i've seen this exact same mistake made by at least two other people who
were well-intentioned and somewhat knowledgeable.  when i pointed out
the problem with that approach privately (that it was equivalent to
adding a new root CA to your browser's X.509 trust chain), one of them
was so frustrated by the confusion, and dismayed that they may have led
people astray in the past, that they wanted to stop using GnuPG (and
therefore OpenPGP) altogether, calling it "too dangerous".

While this last might seem a bit like an overreaction, i think the
dismay is understandable, coming from someone who is actively trying to
help people improve their secure communications.

> But without a technical understanding of PGP, his suggestion was very reasonable:
> 
> - the interface has a warning about "UNTRUSTED"
> - the interface provides a way to set "trust" (actually ownertrust but it
> doesn't mention the term I guess to "not confuse" the user)
> - doing this makes the previous warning go away
> 
> This stems from the concept of "trust" in PGP (= belief that someone else signs
> certificates honestly and correctly), which is much more specific than the
> broad concept in English. So one must be careful when using the word "trust" in
> the UI, not to mix up the two use cases.
> 
> Whilst technically correct, "UNTRUSTED" is not the main point when you are
> verifying signatures. The main point is to ensure the key is verified to
> actually belong to the correct person. So I would suggest rephrasing the
> warning to something like
> 
> - "UNVERIFIED Good signature", or
> - "Good signature from an UNVERIFIED KEY"

I think a change like this is a good idea.  If the tool itself can't
clearly separate the concept of "ownertrust" from "verified" or "valid"
keys, then most users will have little chance of sorting out the
distinction themselves.

I believe the enigmail authors are already open to patch submissions to
clarify the distinction between ownertrust and validity, fwiw.

	--dkg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130713/1221aaf2/attachment.sig>


More information about the Gnupg-devel mailing list