UI terminology for calculated validities
2014-667rhzu3dc-lists-groups at riseup.net
Sat May 3 23:33:14 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
On Saturday 3 May 2014 at 7:56:55 PM, in
<mid:20140503195655.5c2dfe81 at cerberus.dumain.com>, William Hay wrote:
> In most cases this would have the opposite answer to
> the second question. It might make things simpler to
> combine them in practice:
> Is this an unaltered message/file from the purported
Combining is good. Back to two simple questions.
But I disagree with the premise that the third question would usually
have had the opposite answer to the second: emails are frequently
slightly altered in transit, breaking the signature, but still came
from the purported sender.
> You're right. If we're not issuing certs/letters of introduction then
> there is no need. If we are then for compatibility with the existing
> WoT I don't think we can avoid asking.
I refer you to an article on Daniel Kahn Gillmor's blog.
> Presumably if implementing with the existing gnupg
> infrastructure this would be a non-exportable generic
Yes. Exactly what you would get by default from applying a
non-exportable signature with GnuPG.
> Once you start doing things publicly one would need to
> pick a certification level in order to inter-operate
> with the existing WoT. It isn't clear to me that there
> is a good default.
The existing default of an 0x10 "Generic certification" is a good
GnuPG only prompts you to pick a certification level if you enable the
"--ask-cert-level" option, which is disabled by default. As far as I
know, the level doesn't affect WoT calculations.
> My original phrasing was intended to fit in with the
> letter of introduction metaphor. While in the long run
> I may have to kill my darlings for now I'll stick to
> trying to make my pet metaphor work. In that context I
> think leading off the whole thing with "To whom it may
> concern," might work better than a separate public
> declaration for each uid.
"To whom it may concern" is much more subtle than "I hereby publicly
state," but a letter of introduction that was not specifically
addressed could be considered a form of public declaration. I still
think there is merit in making the user choose which UIDs to include
in the letter of introduction: some of them may include email
addresses, roles, or personas outwith the user's knowledge of the key
MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net
No matter what a man's past may have been, his future is spotless.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users