PGP: Invalid key ?
Sat Aug 18 23:17:01 2001
On Sat, 18 Aug 2001, at 22:12:02 +0200, you wrote:
> Jup, that's right - but what's an invalid key? Maybe a broken key?
> Maybe a key PGP doesn't understand fully? Maybe a bug in PGP? Maybe a
> not validated key (whatever PGP means with this)?
The word "valid" is used in a special context in PGP. Complaining about
an "invalid" key is perfectly clear *if you know what "valid" means for
PGP"*. If you don't, that makes it harder to understand. But that's the
same for other software that uses specific designations for certain
> It would have been clear if PGP had said something like: "Can't change
> trust on keys *which are not signed by trusted keys*". Because after
> all, the reason PGP refuses to change the trust of the key is because
> it's not signed.
No, it wouldn't have been clearer. Signing keys with your keys is one
way to validate a key. Another is having a key that was signed by
someone you trust. Or by several people you trust marginally.
> No, I'll still say that the error message is confusingly inaccurate.
OK, if you feel so. I got used to PGP's definiton of an invalid key, so
I can accept this as a good description of the error.
>> to validate a key
> "validate a key"? Uhm? That can be anything! I validated the key
> because I created it on the same computer and I transfered it to PGP
> just a split second later. So the key is validated. And still PGP
> refuses to change the trust because it cannot know this.
You gave the answer yourself. How should PGP know where this key comes
from? Couldn't a stranger have compromised your computer? Put a fake key
into your keyring? To prevent this, a new key isn't valid until you (or
someone you trust) confirms that this key belongs in fact to the person
it claims to.
>> I like the way PGP handles it.
> I don't. It's completely my problem which way I handle this - ie. first
> signing and afterwards chaning the trust or the other way around.
It's a matter of taste. PGP makes it a bit harder to be careless about
unknown keys. That's what I like about it. You don't... OK.
> But ranting about bad error messages of PGP on a GPG is "slightly"
Right, so let's end it on the list. Any further comments off-list,
| Lars Geiger | <mailto:firstname.lastname@example.org> |
| PGP Key: <mailto:email@example.com?Subject=GetPublicKey> |