signature state wording: good, valid, trusted

Hauke Laging mailinglisten at hauke-laging.de
Thu Dec 20 23:04:47 CET 2012


Hello,

I just tried to check what the "correct" (i.e. established) wording for the 
difference between successful signature validation and the (trust related) 
validity of the signing key is.

My guess was "correct signature" vs. "valid signature".

I had a look at the /usr/share/doc/packages/gpg2/DETAILS file. And now I am 
confused. It says that both GOODSIG and VALIDSIG refer to the success of the 
purely technical signature validation with the public key. So "valid" in the 
context of signatures seems to mean something different from "valid" in the 
context of keys. Which is not good in general but however.

The I read in that file:
#################################
TRUST_UNDEFINED <error token>
TRUST_NEVER     <error token>
TRUST_MARGINAL  [0  [<validation_model>]]
TRUST_FULLY     [0  [<validation_model>]]
TRUST_ULTIMATE  [0  [<validation_model>]]
    For good signatures one of these status lines are emitted to
    indicate the validity of the key used to create the signature.
#################################

which is coherent to what I wrote above. But at the end of that block it says:

#################################
Note that we use the term "TRUST_" in the status names for
historic reasons; we now speak of validity.
#################################

OMG. Now the term "valid" / "validity" refers to both verification success and 
the trust state of the signing key? I guess that is really bad in terms of 
understanding. And the whole OpenPGP subject is already hard enough to 
understand for new users. I am writing information documents for new users 
thus I am very interested in getting this right.


The best explaination for all I know now (and have stated above) is that the 
term VALIDSIG simply was quite a bad choice (but impossible to change) and 
that "valid" – despite of the exception VALIDSIG – is used for the trust state 
both with keys and with signatures. So we have (besides bad and expires 
signatures, of course) "good" signatures which can be "valid" signatures. Can 
you confirm this?


BTW: It is probably not a GnuPG specific term but I consider "ownertrust" to 
be a bad choice, too, because it simply isn't that. The value is key dependant 
and may vary between keys with the same owner (due to the key's security level 
or the respective key's certification policy).


Hauke
-- 
☺
PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
http://www.openpgp-schulungen.de/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20121220/833c790d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20121220/833c790d/attachment.pgp>


More information about the Gnupg-users mailing list