UI terminology for calculated validities

Gabriel Niebler gabriel.niebler at gmail.com
Fri Apr 25 01:10:15 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Am 25.04.2014 00:22, schrieb Doug Barton:
> Isn't what you're talking about "verification?"

To my mind, "verification" is the _process_ whereby the _properties_
like "validity" and "authenticity" are established*. I see a
difference there, but one could absolutely use the word "verified" and
"verification", of course.

> I think the concept of "validity" in PGP sort of implies that you
> have verified that the key is valid for that particular user/e-mail
> address, but wouldn't it be better to just say that explicitly?

Yes, it would. That's pretty much my whole point.

"Validity" is misleading, because it's commonly associated with dates
(valid from ... until ...) or a some sort of stamp that (in)validates
something. In terms of GnuPG keys, this would translate more readily
to expiration dates and revocation, so "validity" could be used for
that (if at all).
So if a UserID or key is listed as "validity unknown", new users
scratch their heads.

If instead GnuPG lists a UserID as "not verified" or with
"authenticity unknown", then even most new users should understand
more-or-less intuitively that they need to verify or authenticate the
key (and, hopefully, why).

And it also works in the WoT model, one just says something like
"GnuPG can compute authenticity/verification from a key's
signatures..." or "GnuPG can authenticate/verify a key based on its
signatures...".

> And apologies to anyone for whom English is not their first
> language if it seems like we're spending a lot of time trying to
> differentiate things that are very similar ...

I thought a bit about other languages and I believe the issue is
similar there. In German, validity translates to Gültigkeit,
authenticity to Echtheit or Authentizität, verification to Bestätigung
or Beglaubigung and the connotations are very much the same as in
English. I'm fairly confident that it will be similar in a great many
languages (probably almost all Indo-European ones, at least).

So if a slight change in language would make things clearer to English
speakers, the corresponding change translated should also help
speakers of other languages.

Best
 gabe


*: Say I received a key with my friend's UserID bound to it. I call
them to _verify_ that it's actually the same key they generated and
sent me by comparing fingerprints. With the _verification_ done (which
did not involve any fiddling with bits), I know validate/authenticate
the key by signing it (bit fiddling). Now the key is
"valid"/"authentic" to GnuPG.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJTWZnHAAoJEO7XEikU4kSzq0IIALWSMNjKBt66TZO1HUB0Dm/0
71aAX0Y57xDivPqga+Wn+FbBZ+EUVDbbIe26SWvRSuv6+hfzXh0dn3ooTZjm5XEu
F6MjXBR/JR3RDZh0TljbfpR3UAPkgm/mORaLlOvx36vs1TqcuWaJoitl1HQuP1SW
CjZYiN7othfcoGtsPgzXQsgc7tiCGt0f7wLC+4hnms+UyE6gsKy5Yr5IKryFa/qx
DGMFMutwdpHHPi2Rxb+TnFfgcdUSn0G/tVMkW3HO4oPa8EnsWG252dWPf/EoZQX/
AR+rOgP9sDeb4kvCUKe3yNAL6OU8DikiTEg/EEBuoYk1ZZ4/0x97nGyByiDpjAc=
=r/0G
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list