UI terminology for calculated validities

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Thu Apr 24 21:45:10 CEST 2014

Hash: SHA512
NotDashEscaped: You need GnuPG to verify this message


On Wednesday 23 April 2014 at 10:00:41 PM, in
<mid:535829F9.1010503 at gmail.com>, Gabriel Niebler wrote:

> The average layperson already has a concept of
> "validity" from such things as credit cards ("valid
> thru"), mass transit tickets ("not valid unless
> stamped") and passports ("valid from ... until ...",
> also made invalid when one gets a new one). These
> pre-existing notions, which are impossible to rub out,
> naturally translate to _expiration_ and _revocation_ of
> keys, NOT to the question who the key really belongs
> to.

A key on my keyring is "valid" if it is not expired or revoked and it
bears one signature from one of my keys, or several signatures from
other keys to which I have granted marginal authority to validate

"Valid" in this context means that my copy of GnuPG will accept it as
an encryption key. It is not necessarily related to the purported
identity of the person or persons who are thought to have access to
the corresponding private key. (I may, for example, locally sign a key
that works for exchanging with a particular email address. That does
not mean I have any clue who controls that key or that email address.)

> Technically inclined people have a second
> association with the word "valid", more akin to
> "well-formed" ("is this valid XML?"), which naturally
> translates to whether e.g. a given version and
> implementation of OpenPGP can understand a given key
> etc. and, again, does NOT translate to the question of
> the key holder's true identity. Hence the confusion.

What is somebody's "true" identity? Many (or even most) people have
more than one identity, some long-lasting and others ephemeral. A
professional versus a personal identity. Multiple social identities
depending on context. A professional identity in each of several
occupations, either simultaneously or changing over time. The name on
their birth certificate versus the name by which they are actually
known. Etc.

> What makes it worse is that in the above examples, i.e.
> the cases people are familiar with, validity can
> usually be determined from the document itself (here
> that would be the key), or at worst the system that
> works with the document (here that would be GnuPG), but
> neither is the case with key ownership.

GnuPG *can* inspect the signatures present on a key to determine
validity. Validity does not equate to ownership or identity.

> Simply put, the word "validity" already means something
> to most people, but it was taken and redefined to mean
> something else in the context of asymmetric encryption
> keys

No it was not. The key is "valid" by virtue of the signatures it
carries. It is a simple mechanism.

> - it's a bit like making a calculator and using
> the '+' sign for multiplication: it will do the correct
> thing and it's all in the manual, but it's still
> horribly confusing.

Validity is just counting the relevant signatures. It only becomes
confusing when you consider the meaning of those signatures.

> Therefore, I propose that the word "validity" is not
> chosen well for what it now means in GnuPG, because it
> carries with it connotations that are quite different
> from the intended meaning, which is confusing. And thus
> a better, clearer word should be found and used in
> future. Which word is obviously a matter for debate.

I disagree. Validity in GnuPG is a perfectly clear descriptive name
for a simple, mechanistic concept.

> Ad (a): A user wants to know whether the key they
> obtained is really _owned_ by the person whose
> UserID(s) came with it.

Once the user establishes the question of ownership/identity/control,
they *could* then choose to validate the key by signing it. But the
choice is theirs alone: simply knowing does not make their copy of
GnuPG accept the key as "valid."

> My government issued passport is authentic and I own
> it,

Mine says it remains the property of the government and may be
withdrawn at any time. So whoever uses the passport when they travel,
it is never the owner.

Best regards

MFPA                    mailto:2014-667rhzu3dc-lists-groups at riseup.net

If at first you don't succeed, destroy all evidence that you tried.


More information about the Gnupg-users mailing list