Houston, we have a problem

Andrew Gallagher andrewg at andrewg.com
Tue Sep 26 14:15:58 CEST 2017 

On 26/09/17 12:30, Kristian Fiskerstrand wrote:
> On 09/26/2017 01:07 PM, Andrew Gallagher wrote:
>> So SKS should just say "unverified signature from <fingerprint>". It
>> should not repeat the purported user ID, nor provide a search link that
>> returns completely unrelated keys that happen to have the same purported ID.
> 
> No, that is also wrong, as it implies that anything is trusted unless
> otherwise stated. A malicious actor can claim it is verified all he/she
> wants (simply removing the disclaimer).

Um, did you reply to the wrong paragraph? I did mention disclaimers
elsewhere, but only in passing (and tongue in cheek). My argument is
that we shouldn't be displaying unverified information at all.

> The user's default position
> NEEDS to be that nothing is verified until it is done locally or by an
> explicitly trusted third party.

Absolutely. None of this is an argument against users having to do
things right. But the way to get users to do things right is to train
them to do things right from the start - and you do that by railroading
them down the straight and narrow and not even have the option to do it
any other way. That way, if the opportunity to do it wrong arises in the
future their first instinct will be "this isn't how it's supposed to
happen". If you can't train people personally, you have to write your
software so that the software trains them.

WhatsApp gets the UX *very nearly* right. And since everyone and his dog
now uses it that's the new baseline. If it's easier to do it wrong than
in WhatsApp, it's broken. If it's harder to understand than WhatsApp,
it's broken. If you have to read more instructions than WhatsApp, it's
broken.

It's no good implementing something correctly if it can be applied
incorrectly. Murphy's Law applies.

> being able to browse the
> keyserver directly is too useful for debugging to completely remove

Indeed, but is it necessary to display the untrustworthy user-ID on
signatures? The fingerprint should be sufficient.

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170926/b830f871/attachment.sig>

More information about the Gnupg-users mailing list