UI terminology for calculated validities

Nicolai Josuttis nico at josuttis.de
Tue Apr 22 13:36:23 CEST 2014

Am 22.04.2014 12:56, Hauke Laging schrieb/wrote:
> Am Di 22.04.2014, 12:25:04 schrieb Nicolai Josuttis:
>> So the next question is: Is "trust a key" a valid term?
> The better question is: "Is it a useful term?"
> I consider this confusion a huge problem. I guess hardly anyone
> outside this list get these two concepts right.
May be, that's a clear sign that the technical terms don't fit well.
In the non-technical world you can't just define some terms
and expect that people take time to understand them.
For this reason, the terms have to be self describing.
If if they are not, you need different terminology.

> There is even an OpenPGP GUI which mixes up these two (claims to
> show trust but shows validity...).
I am asking for "permission" or "acceptance" or at least feedback
regarding also to do that. ;-)

BTW, which one is it?
(remember I want to establish common terminology for GUIs)

> Using "trust" for both cases is probably the best way to ensure
> that normal users will never understand this. I strongly advise
> against the use of the term "trust" in a validity context.
What is so confusing about trust for different thing?
One thing is:
- Do I trust a person (that he/she signs carefully)?
Another thing is:
- Do I trust the computed validity of a key?
  Or in short: Do I trust a key?
And s the computed validity is derived from a trust model,
it is in effect the answer to the question of
whether I can trust a key.
And even PGP use the term "trust the key".

May be the whole confusion is raised because we constantly
you try to use all these technical details when they should
be hidden.
For anybody sending encrypted emails the whole point is
only one question:
- Can I trust this key I got so that it is safe to use it?

And I can easily explain that using the term "trust" for both:
To trust this key, you have to trust the owner that signed it
(or trust indirectly marginal trusted owners).

That's so simple to explain and I doubt that this is hard to
understand (although still hard to remember).
And the whole model behind is so hard to explain.
Explaining that a key is "valid" if it is "not only valid
(expired/revoked/disabled), but also trusted according to the web of
trust" is a nightmare.

Don't get me wrong.
It is important to have this fine grained model behind the scenes.
But it is also important to wrap it by something really easy.

>> If you don't like the term "trust a key" what else intuitive 
>> terminology do you suggest?
> "consider a key as valid"
As I said, I need some self-intuitive wording for
what technically is "valid".


> Hauke

Nicolai M. Josuttis

More information about the Gnupg-users mailing list