PGP: Invalid key ?

Lars Geiger Lars.Geiger@gmx.net
Sat Aug 18 23:17:01 2001 

Hi Alexander,
On Sat, 18 Aug 2001, at 22:12:02 +0200, you wrote:


> Jup, that's right - but what's an invalid key?  Maybe a broken key?

> Maybe a key PGP doesn't understand fully?  Maybe a bug in PGP? Maybe a

> not validated key (whatever PGP means with this)?


The word "valid" is used in a special context in PGP. Complaining about
an "invalid" key is perfectly clear *if you know what "valid" means for
PGP"*. If you don't, that makes it harder to understand. But that's the
same for other software that uses specific designations for certain
things...


> It would have been clear if PGP had said something like: "Can't change

> trust on keys *which are not signed by trusted keys*".  Because after

> all, the reason PGP refuses to change the trust of the key is because

> it's not signed.


No, it wouldn't have been clearer. Signing keys with your keys is one
way to validate a key. Another is having a key that was signed by
someone you trust. Or by several people you trust marginally.


> No, I'll still say that the error message is confusingly inaccurate.


OK, if you feel so. I got used to PGP's definiton of an invalid key, so
I can accept this as a good description of the error.


>> to validate a key



> "validate a key"?  Uhm?  That can be anything!  I validated the key

> because I created it on the same computer and I transfered it to PGP

> just a split second later.  So the key is validated.  And still PGP

> refuses to change the trust because it cannot know this.

                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

You gave the answer yourself. How should PGP know where this key comes
from? Couldn't a stranger have compromised your computer? Put a fake key
into your keyring? To prevent this, a new key isn't valid until you (or
someone you trust) confirms that this key belongs in fact to the person
it claims to.


>> I like the way PGP handles it.



> I don't. It's completely my problem which way I handle this - ie. first

> signing and afterwards chaning the trust or the other way around.


It's a matter of taste. PGP makes it a bit harder to be careless about
unknown keys. That's what I like about it. You don't... OK.


> But ranting about bad error messages of PGP on a GPG is "slightly"

> off-topic...


Right, so let's end it on the list. Any further comments off-list,
please.

-- 
Regards,
Lars

 ____________________________________________________________

|        Lars Geiger  |  <mailto:lars.geiger@gmx.net>        |

| PGP Key: <mailto:lars.geiger@gmx.net?Subject=GetPublicKey> |