UI terminology for calculated validities

p.h.delgado at xoxy.net p.h.delgado at xoxy.net
Wed Apr 23 10:08:52 CEST 2014

On 04/22/2014 10:49 PM, Hauke Laging wrote:

> We do agree that crypto is by its nature difficult...

I agree, but I believe the statement should be more
specific, i.e.,: ...Web-of-Trust is by its nature difficult...

If I can propose a "we do agree" statement, it would be
the following:

*We do agree that the WoT is the principal obstacle to a
wider adoption of GnuPG.*

(What we might or might not agree on is whether GPG without
the WoT is still GPG: an indispensable communication
security tool, one of the best around)

If the complex structure of the beast is not reasonably
well understood by the user, it is of little value to
the novice. There is nothing that the user interface
skin can cover it with, that can, IMHO, change that fact.
Struggling with the physiology consisting of large number
of arcane rules, with no understanding of the full anatomy
of the underlying system is a path to endless frustration
and a source of frequent critical usage errors.

There are two kinds of circumstances where new users are
motivated to use the tool: communication with parties
that the user has had prior familiarity with, and those
where the first and only contact is via GPG generated

New users that belong to the first kind above should be
given an option of completely ditching the whole WoT
superstructure in favour of the independent procurement
of the key fingerprint, and should be explained how to go
about the key verification using the trusted fingerprint,
and provided with the UI devices that make this as simple
as possible. No WoT functionality whatsoever should be
exposed to the user.

I strongly believe that a wast majority of present and
prospective GPG users with the "real world" threat model
would be well served by this approach.


More information about the Gnupg-users mailing list