UI terminology for calculated validities

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Apr 25 18:58:03 CEST 2014 

On 04/24/2014 10:49 PM, Hauke Laging wrote:

> a) Many keys are certified without being verified. This is IMHO not so 
> much a problem if this is transparent. Think of --ask-cert-level. BTW: I 
> really don't like the --min-cert-level default to be 2 because this 
> forces the users to either ignore this level (setting 0) or to "lie" 
> which also reduces the "authenticity".

yes, users *should* ignore --ask-cert-level:

https://www.debian-administration.org/users/dkg/weblog/98

> b) There are user IDs with which it becomes strange to speak of 
> "authenticity". E.g. if it is only an email address 
> (sevgseuiuzh at example.org).

why is this strange?  a certificate that binds a key to an e-mail
address is authentic iff the owner of that e-mail account controls that key.

> Thus I would like to offer "accepted" as a possible alternative. I guess 
> that shows the user decision. Maybe even as a combination: "authenticity 
> accepted".

Accepted implies that there is someone doing the accepting.
"Acceptable" might be better, but it still leaves me asking "acceptable
to whom?" and "acceptable for what?"  -- if it's in a context where it's
obvious that the answer is "acceptable for me to encrypt messages to it,
or to verify message signatures from it" then that might not be too bad.

> Another point:
> Is it a good idea to use the same terms for both the key itself and user 
> IDs? The terminology should make sense to non-technical people 
> especially from the perspective that a "valid" key (certificate) can 
> contain "invalid" user IDs.

i agree that this is confusing.  It also confuses people that we
continue to call certificates "keys", and then sometimes we actually
want to talk about the keys themselves, and also call those "keys"

> As different keys (especially fake ones) can contain exactly the same 
> user ID it seems strange to me to apply the term "authenticity" to a 
> user ID. The key is authentic for this user ID (in contrast to other 
> keys which may have the same).

the term would need to apply to the <key,userid> combination, not to the
userid in isolation.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140425/37a39352/attachment.sig>

More information about the Gnupg-users mailing list