UI terminology for calculated validities

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Sat May 3 23:33:14 CEST 2014

Hash: SHA512


On Saturday 3 May 2014 at 7:56:55 PM, in
<mid:20140503195655.5c2dfe81 at cerberus.dumain.com>, William Hay wrote:

> In most cases this would have the opposite answer to
> the second question.  It might make things simpler to
> combine them in practice:

> Is this an unaltered message/file from the purported
> sender?

Combining is good. Back to two simple questions.

But I disagree with the premise that the third question would usually
have had the opposite answer to the second: emails are frequently
slightly altered in transit, breaking the signature, but still came
from the purported sender.

> You're right.  If we're not issuing certs/letters of introduction then
> there is no need.  If we are then for compatibility with the existing
> WoT I don't think we can avoid asking.

I refer you to an article on Daniel Kahn Gillmor's blog.

> Presumably if implementing with the existing gnupg
> infrastructure this would be a non-exportable generic
> certification?

Yes. Exactly what you would get by default from applying a
non-exportable signature with GnuPG.

> Once you start doing things publicly one would need to
> pick a certification level in order to inter-operate
> with the existing WoT. It isn't clear to me that there
> is a good default.

The existing default of an 0x10 "Generic certification" is a good

GnuPG only prompts you to pick a certification level if you enable the
"--ask-cert-level" option, which is disabled by default. As far as I
know, the level doesn't affect WoT calculations.

> My original phrasing was intended to fit in with the
> letter of introduction metaphor.  While in the long run
> I may have to kill my darlings for now I'll stick to
> trying to make my pet metaphor work. In that context I
> think leading off the whole thing with "To whom it may
> concern," might work better than a separate public
> declaration for each uid.

"To whom it may concern" is much more subtle than "I hereby publicly
state," but a letter of introduction that was not specifically
addressed could be considered a form of public declaration. I still
think there is merit in making the user choose which UIDs to include
in the letter of introduction: some of them may include email
addresses, roles, or personas outwith the user's knowledge of the key

- --
Best regards

MFPA                    mailto:2014-667rhzu3dc-lists-groups at riseup.net

No matter what a man's past may have been, his future is spotless.


More information about the Gnupg-users mailing list