UI terminology for calculated validities

[Peter Lebbing]

On 02/05/14 03:45, Hauke Laging wrote:
> start cmd:> gpg --with-colons --list-keys 0x1a571df5 
> pub:u:4096:1:BF4B8EEF1A571DF5:1351995465:1415197758::u:::escESCA: uid:u:::: 
> uid:u:::: uid:u::::
> 
> /usr/share/doc/packages/gpg2/DETAILS:
> 
> 2. Field:  A letter describing the calculated validity.

So did you read the description? Let me quote from that very section:

>> If the validity information is given for a UID or UAT record, it describes
>> the validity calculated based on this user ID.  If given for a key record it
>> describes the best validity taken from the best rated user ID.

/It describes the best validity taken from the best rated user ID/.

It is simply a wrapup of the information that follows on the validity of the
UID's on the key.

And this is also what that "validity" is in:

> pub  4096R/0x1A571DF5  created: 2012-11-04  usage: SCE 
>                        trust: ultimate      validity: ultimate

Although that is a rather poor example because it has ultimate ownertrust, so
it's always ultimately valid. But the entry refers to field 2 of a pub record in
the --with-colons output, AFAICT.

> The key itself must have such a state for the simple reason that you can 
> select an encryption key via the UID but you (usually) cannot know "which
> UID" has made a signature. You just know the (sub)key.

So when verifying a signature, the UI should simply display all UID's, or
possibly all valid UID's. Guess what? At least the command line does:

--------------------------8<------------>8--------------------------
$ gpg2 -d test.gpg
Hello world
gpg: Signature made Fri 02 May 2014 11:07:53 CEST using RSA key ID 3E7F0306
gpg: Good signature from "Test more extra UID"
gpg:                 aka "Test extra UID"
gpg:                 aka "Testkey"
--------------------------8<------------>8--------------------------

It gets even more interesting with "verify-options show-uid-validity", which I
have turned on:

--------------------------8<------------>8--------------------------
$ gpg2 -d test.gpg
Hello world
gpg: Signature made Fri 02 May 2014 11:07:53 CEST using RSA key ID 3E7F0306
gpg: Good signature from "Test more extra UID" [unknown]
gpg:                 aka "Test extra UID" [full]
gpg:                 aka "Testkey" [unknown]
--------------------------8<------------>8--------------------------

I have only signed that one fully valid key.

All this stuff is simply related to how things are presented to users, they are
not an essential part of how it actually works. I'd say a feature request to
only display valid UID's on signatures might have merit, but I still don't see a
technical reason to equate validity with just a key.

In the case of signatures, you definitely need to know who signed it, not just
that it is a valid signature. And I can't tell that from just the key ID[1], I
need UID's. If some hacker I validated sends me a signed message "Here, copy
paste this to your command line", I might not listen even though it's a valid
signature. If the signature was from the trustworthy IT guy who is helping me
solve some issue with my PC, I'd just do it. That's why you need more
information than "this is a valid signature".

> The WoT is calculated over key validities not over UID validities.

This is just wrong. Validity is always calculated for couplings of keys and
UID's. However, when you certify a UID, that certification indeed comes from
your key, not your UID, so /ownertrust/ is assigned to a whole key rather than a
UID. This means that deeper in the certification chain, validity of a UID is
calculated based on the trust assigned to a key, not trust assigned to a UID.

So yes, ownertrust is indeed associated just with a key, not the UID's.

This is not the same as "validity is calculated over keys", which is much too broad.

HTH,

Peter.

[1] Which might not even be unique; and fingerprints are long!

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>