UI terminology for calculated validities

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Sat May 3 23:33:14 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Saturday 3 May 2014 at 7:56:55 PM, in
<mid:20140503195655.5c2dfe81 at cerberus.dumain.com>, William Hay wrote:



> In most cases this would have the opposite answer to
> the second question.  It might make things simpler to
> combine them in practice:

> Is this an unaltered message/file from the purported
> sender?

Combining is good. Back to two simple questions.

But I disagree with the premise that the third question would usually
have had the opposite answer to the second: emails are frequently
slightly altered in transit, breaking the signature, but still came
from the purported sender.



> You're right.  If we're not issuing certs/letters of introduction then
> there is no need.  If we are then for compatibility with the existing
> WoT I don't think we can avoid asking.

I refer you to an article on Daniel Kahn Gillmor's blog.
<https://www.debian-administration.org/users/dkg/weblog/98>




> Presumably if implementing with the existing gnupg
> infrastructure this would be a non-exportable generic
> certification?

Yes. Exactly what you would get by default from applying a
non-exportable signature with GnuPG.



> Once you start doing things publicly one would need to
> pick a certification level in order to inter-operate
> with the existing WoT. It isn't clear to me that there
> is a good default.

The existing default of an 0x10 "Generic certification" is a good
default.

GnuPG only prompts you to pick a certification level if you enable the
"--ask-cert-level" option, which is disabled by default. As far as I
know, the level doesn't affect WoT calculations.



> My original phrasing was intended to fit in with the
> letter of introduction metaphor.  While in the long run
> I may have to kill my darlings for now I'll stick to
> trying to make my pet metaphor work. In that context I
> think leading off the whole thing with "To whom it may
> concern," might work better than a separate public
> declaration for each uid.

"To whom it may concern" is much more subtle than "I hereby publicly
state," but a letter of introduction that was not specifically
addressed could be considered a form of public declaration. I still
think there is merit in making the user choose which UIDs to include
in the letter of introduction: some of them may include email
addresses, roles, or personas outwith the user's knowledge of the key
owner.



- --
Best regards

MFPA                    mailto:2014-667rhzu3dc-lists-groups at riseup.net

No matter what a man's past may have been, his future is spotless.
-----BEGIN PGP SIGNATURE-----

iPQEAQEKAF4FAlNlYKVXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pXSYD/1b3wL/SkQ9qrrjOR+XdAz23eMe/6tz4FAUy
NxXo2p/DMPVn+VW2pY7Vq9Ko2G4r+ydFtyst9364BOXBihspWuir4K5byaW8lPjC
lcDfjvCfJIXs+8Zz6BKzw8z0LPZLdizCD9xC5CKdBWl77ipStb+cVlPBOF9sxrl1
jVERs1qb
=wWHU
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list