improving validity calculation: external program
Hauke Laging
mailinglisten at hauke-laging.de
Mon May 5 07:05:51 CEST 2014
Hello,
from time to time when changes to GnuPG's behaviour (about validity and
trust) are suggested, Werner responds kind of: "No, that should be done
on top of GnuPG." This attitude makes sense but in the current situation
I would ask: How? How shall that be done on top of GnuPG without causing
a huge mess of adaption need in the higher layer applications?
Thus I would like to suggest that – similar to gpg-agent's option
"pinentry-program" – an option is added which disables gpg's internal
handling of --check-trustdb / --update-trustdb and has the configured
external program be called for that. This would more or less be a
modified version of --import-ownertrust.
This way it would become easy to test and offer other validity
calculation strategies. Simple cases:
a) The WoT could be easily disabled for newbies by configuring a
validity calculator which ignores it.
b) Ignore level 0 certifications.
Less simple case:
a) The calculator could be configured to treat different keys as one
(because the owner is the same); we recently discussed this need.
I don't want to distract you from the general idea by offering
complicated suggestions which will never even come close to concensus...
;-)
A nice extension would be to define an output format (or database format
for gpg to read the data from) so that
a) this calculator can show for each certification if and how much it
contributes to the validity of another key (or: UID); IIRC this is
currently not possible
b) levels for security and authenticity could be added. Today we have
"valid" and "invalid". But the real world is not a dichotomy: Different
kinds of information have different requirements for both security and
authenticity (or the combination of both). We must map this spectrum to
key selection somehow (or at least create the possibility for others to
easily do so).
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140505/989c66db/attachment-0001.sig>
More information about the Gnupg-users
mailing list