UI terminology for calculated validities

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Fri Apr 25 02:23:50 CEST 2014

Hash: SHA512
NotDashEscaped: You need GnuPG to verify this message


On Thursday 24 April 2014 at 11:19:12 PM, in
<mid:53598DE0.2060301 at gmail.com>, Gabriel Niebler wrote:

> Peter Lebbing has thankfully pointed out that, out of
> my two suggestions, "authenticity" is the word that
> should be preferred. I agree with him on this, so I
> shall use that word here.

I don't personally like "authenticity" or "authentic" here but no
sensible alternative suggestion comes to mind. "Authenticated" would
better fit my understanding.

>> GnuPG *can* inspect the signatures present on a key to
>> determine  validity.

> Yes, but only if the user has already begun to build
> their WoT.

The presence of my local signature on a key allows GnuPG to determine
validity, but could not be said to indicate I have started to build a

> So as it is now, a new user finds they must (basically
> always) establish a keys "validity" themselves, when
> the expectation is that GnuPG should know whether a
> given key is "valid".

OK. The key is "valid" because it is not expired or revoked. If it
bears no WoT signatures (and no exportable signatures from any of my
keys), it seems wrong to say it is "authenticated." If it is only
accepted by GnuPG due to my local signature, maybe a better word is

> In normal life, it is "authenticity", not "validity"
> that is established by signatures.

In my experience it is commonplace for signatures to indicate either,
depending on context. You sign a statement to the Police to indicate
its authenticity. You sign a bank card to confer validity. (At least
where I come from, above the signature strip on most bank cards it
still says "not valid unless signed.")

Best regards

MFPA                    mailto:2014-667rhzu3dc-lists-groups at riseup.net

Of course it's a good idea - it's mine!


More information about the Gnupg-users mailing list