UI terminology for calculated validities

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Apr 25 21:07:23 CEST 2014


On 04/24/2014 06:19 PM, Gabriel Niebler wrote:
> """
> A key on my keyring is "valid" if it is not expired or revoked.
> It is "authentic" if it bears one signature from one of my keys, or
> several signatures from other keys to which I have granted marginal
> authority to authenticate keys.
> """

I can see that "authenticity" is in some ways more appealing as a term
than "validity".  But i agree with Peter that trying to redefine
"validity" to then mean something else is likely to be asking for
trouble, given the existing established terminology.  I also wonder what
term you would propose using as the opposite of "authentic".  "valid"
can be opposed cleanly with "invalid".  Would you say "inauthentic" or
"unauthenticated"?  I prefer the latter term, but in that case, perhaps
the positive version should be "authenticated" rather than "authentic".

Also, i think it is a problem to say a key is valid or authentic.  It is
not the key that is valid or authentic, it is the combination of the key
and a given user ID.

An OpenPGP certificate as a whole contains one master key and one or
more User IDs.  So the certificate itself may contain some
valid/authentic <key,userid> combinations, and some
invalid/unauthenticated <key,userid> combinations.

In some scenarios, you want to talk about the certificate as a whole,
and sometimes people want to make assertions about the validity or
authenticity of the certificate itself, even though it may be in this
mixed state.  For example, when a user applies ownertrust to a given
certification-capable master key, GnuPG still only relies on
certifications made by that key if the certificate containing the key
has at least one valid <key,userid> combination.  So in some sense,
GnuPG considers a certificate as a whole (and by implication, its
primary key) as though it it has a validity by taking the maximum of the
validity of all of the certificate's user IDs.

I'm not proposing that we expose this detail to the end user, though,
just laying out to the detail-oriented people on this list so that we
have a common understanding.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140425/ef6d2da4/attachment-0001.sig>


More information about the Gnupg-users mailing list