A bug in version 1.2.1?
David Shaw
dshaw@jabberwocky.com
Wed Dec 11 18:13:02 2002
On Wed, Dec 11, 2002 at 11:59:44AM -0500, Alexandros Papadopoulos wrote:
> On Wednesday 11 December 2002 09:12, Werner Koch wrote:
> > On Wed, 11 Dec 2002 08:08:12 -0500, David Shaw said:
> > >> There may be warnings ("You have no trustpath to this key that
> > >> indicates its validity. Use anyway? [[cancel]] [OK]") or a pref to
> > >> switch this off.
> > >
> > > This is much better of course.
> >
> > Given the habit of many users to hit OK without thinking, the current
> > way is safer; it forces the user to think about what he is going to
> > do (while doing an lsign).
> >
>
> I agree. Allowing encryption to a key without any user verification
> whatsoever (fingerprint, at the very least?), is bad and causes
> brain-dead use of gpg. In no time this reaches the point of users
> relying on their MUA to verify their keys for them, and bitching when
> they realize it won't.
That's fine so long as it doesn't make users sign keys willy-nilly to
"make them work". That's what lsign is for, but I have little hope
that many users even know what lsign is.
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson