UI terminology for calculated validities

Bob (Robert) Cavanaugh robertc at broadcom.com
Fri Apr 25 03:11:13 CEST 2014

My vote is to adopt Gabe's convention. I think it makes a great deal of sense.

Bob Cavanaugh

-----Original Message-----
From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Gabriel Niebler
Sent: Thursday, April 24, 2014 4:10 PM
To: Doug Barton; Peter Lebbing; gnupg-users at gnupg.org
Subject: Re: UI terminology for calculated validities

* PGP Signed by an unknown key

Am 25.04.2014 00:22, schrieb Doug Barton:
> Isn't what you're talking about "verification?"

To my mind, "verification" is the _process_ whereby the _properties_
like "validity" and "authenticity" are established*. I see a
difference there, but one could absolutely use the word "verified" and
"verification", of course.

> I think the concept of "validity" in PGP sort of implies that you
> have verified that the key is valid for that particular user/e-mail
> address, but wouldn't it be better to just say that explicitly?

Yes, it would. That's pretty much my whole point.

"Validity" is misleading, because it's commonly associated with dates
(valid from ... until ...) or a some sort of stamp that (in)validates
something. In terms of GnuPG keys, this would translate more readily
to expiration dates and revocation, so "validity" could be used for
that (if at all).
So if a UserID or key is listed as "validity unknown", new users
scratch their heads.

If instead GnuPG lists a UserID as "not verified" or with
"authenticity unknown", then even most new users should understand
more-or-less intuitively that they need to verify or authenticate the
key (and, hopefully, why).

And it also works in the WoT model, one just says something like
"GnuPG can compute authenticity/verification from a key's
signatures..." or "GnuPG can authenticate/verify a key based on its

> And apologies to anyone for whom English is not their first
> language if it seems like we're spending a lot of time trying to
> differentiate things that are very similar ...

I thought a bit about other languages and I believe the issue is
similar there. In German, validity translates to Gültigkeit,
authenticity to Echtheit or Authentizität, verification to Bestätigung
or Beglaubigung and the connotations are very much the same as in
English. I'm fairly confident that it will be similar in a great many
languages (probably almost all Indo-European ones, at least).

So if a slight change in language would make things clearer to English
speakers, the corresponding change translated should also help
speakers of other languages.


*: Say I received a key with my friend's UserID bound to it. I call
them to _verify_ that it's actually the same key they generated and
sent me by comparing fingerprints. With the _verification_ done (which
did not involve any fiddling with bits), I know validate/authenticate
the key by signing it (bit fiddling). Now the key is
"valid"/"authentic" to GnuPG.

* Unknown Key
* 0x14E244B3(L)

Gnupg-users mailing list
Gnupg-users at gnupg.org

More information about the Gnupg-users mailing list