phrase "UNTRUSTED good signature" is dangerously misleading

Nicholas Cole nicholas.cole at gmail.com
Sun Jul 14 20:36:11 CEST 2013


On Sun, Jul 14, 2013 at 5:34 PM, Hauke Laging <mailinglisten at hauke-laging.de
> wrote:

> Am So 14.07.2013, 17:05:09 schrieb Werner Koch:
>
> > Thus we better don't change something which has done its
> > job okay for many years.
>
> Measured by what? After all the claim of this thread is that it does its
> job
> badly.
>
>
> > In any case, the non-experienced user is expected to use a different
> > user interface than gpg on the command line.  Thus all improvements
> > should go into the GUI, which has more ways to explain what is going
> > on.
>
> I would accept that as a good solution (would suggest some additions to the
> documentation, though) but that is obviously conflicting with the Enigmail
> team's position. But with this clear statement the IMHO only reasonable
> decision by the Enigmail team is to change their policy.


I am not sure whether or not the GnuPG messages need to change.  GnuPG
itself is often used by people with a good technical knowledge.

But I *do* think that front-ends could consider a change in their wording.

>From a user's perspective, things are much clearer (I suspect) if the word
'signature' is reserved for emails, documents etc.

In English, at least, it is surely clearer if we talk about 'certifying'
keys, rather than 'signing' them.  This would let us talk about
'uncertified' keys, which I suspect is clearer.  So the message to the user
could be: "Good Signature but from an uncertified key" or somesuch.

I know that, from a technical perspective, a certification is a signature,
but from a user's perspective signed data is very different from certifying
a key, and the re-use of the same term does cause confusion.

Rather than 'owner trust', or even 'introducer trust' we should talk about
whether to trust the certifications provided by a particular key.  Eg:
"Trust in Certifications made by this Key: MARGINAL".

But as Werner rightly points out, there is the issue of how to translate
this in to other languages.

Best wishes,

N.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130714/785099fb/attachment.html>


More information about the Gnupg-devel mailing list