PGP: Invalid key ?

Lars Geiger
Sat Aug 18 23:17:01 2001

Hi Alexander,
On Sat, 18 Aug 2001, at 22:12:02 +0200, you wrote:

> Jup, that's right - but what's an invalid key? Maybe a broken key?
> Maybe a key PGP doesn't understand fully? Maybe a bug in PGP? Maybe a
> not validated key (whatever PGP means with this)?
The word "valid" is used in a special context in PGP. Complaining about an "invalid" key is perfectly clear *if you know what "valid" means for PGP"*. If you don't, that makes it harder to understand. But that's the same for other software that uses specific designations for certain things...
> It would have been clear if PGP had said something like: "Can't change
> trust on keys *which are not signed by trusted keys*". Because after
> all, the reason PGP refuses to change the trust of the key is because
> it's not signed.
No, it wouldn't have been clearer. Signing keys with your keys is one way to validate a key. Another is having a key that was signed by someone you trust. Or by several people you trust marginally.
> No, I'll still say that the error message is confusingly inaccurate.
OK, if you feel so. I got used to PGP's definiton of an invalid key, so I can accept this as a good description of the error.
>> to validate a key

> "validate a key"? Uhm? That can be anything! I validated the key
> because I created it on the same computer and I transfered it to PGP
> just a split second later. So the key is validated. And still PGP
> refuses to change the trust because it cannot know this.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You gave the answer yourself. How should PGP know where this key comes from? Couldn't a stranger have compromised your computer? Put a fake key into your keyring? To prevent this, a new key isn't valid until you (or someone you trust) confirms that this key belongs in fact to the person it claims to.
>> I like the way PGP handles it.

> I don't. It's completely my problem which way I handle this - ie. first
> signing and afterwards chaning the trust or the other way around.
It's a matter of taste. PGP makes it a bit harder to be careless about unknown keys. That's what I like about it. You don't... OK.
> But ranting about bad error messages of PGP on a GPG is "slightly"
> off-topic...
Right, so let's end it on the list. Any further comments off-list, please. -- Regards, Lars ____________________________________________________________
| Lars Geiger | <> |
| PGP Key: <> |