UI terminology for calculated validities

Hauke Laging mailinglisten at hauke-laging.de
Fri May 2 04:23:25 CEST 2014 

Am Fr 25.04.2014, 12:58:03 schrieb Daniel Kahn Gillmor:

> yes, users *should* ignore --ask-cert-level:
> 
> https://www.debian-administration.org/users/dkg/weblog/98

I completely disagree with that article. And I consider your statement

«I don't think there is a satisfactory answer to the question "how will 
specifying the level of identity certification concretely benefit anyone 
involved?"»

REALLY strange. It is hard for me to believe that someone at your level 
of crypto understanding is serious about that.


You claim

«So there is no functional gain in declaring the difference between a 
"normal" certification and a "positive" one»

and – if I understand you correctly – the only argument for that is the 
current behaviour of GnuPG. The correct view is that the current GnuPG 
behaviour (i.e. not offering the possibility to ignore level-0 sigs) is 
a serious problem, really limiting the use of WoT calculation. Are you 
really going to tell me that a generic certification was more valuable 
than a persona certicifation though the first contains the second? I 
hope not. 90% of the current WoT is just the illusion of security.

I once wrote an email to somebody who had written a terribly wrong 
article about OpenPGP on his web site. He answered me, thanked me for 
the hints and wrote: "I have signed your key and attached it. Perhaps 
you want to sign mine, too."

That's what the majority of level-0 signatures means: "I have no idea 
what I am doing here."


> > Thus I would like to offer "accepted" as a possible alternative. I
> > guess that shows the user decision. Maybe even as a combination:
> > "authenticity accepted".
> 
> Accepted implies that there is someone doing the accepting.

That is exactly what happens. And thus I like the term.


> "Acceptable" might be better, but it still leaves me asking
> "acceptable to whom?" and "acceptable for what?"

The context is the respective keyring. Who "owns" it and for what 
purpose?

My opinion as a non-native speaker is less relevant in this case but I 
feel like you seem to indicate: That "acceptable" easily leads to the 
question "Why? By which standards?". "Accepted" seems to avoid that by 
"You have (not yet) accepted it. You must know why (not)". To me 
"accepted" seems more personal, "acceptable" more general. But that may 
just be a lose language feeling.


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140502/bba63391/attachment.sig>

More information about the Gnupg-users mailing list