Houston, we have a problem

Tue Sep 26 14:32:30 CEST 2017

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


On 17-09-26 09:15 AM, Andrew Gallagher wrote:
> On 26/09/17 12:30, Kristian Fiskerstrand wrote:
>> On 09/26/2017 01:07 PM, Andrew Gallagher wrote:
>>> So SKS should just say "unverified signature from 
>>> <fingerprint>". It should not repeat the purported user ID, nor
>>> provide a search link that returns completely unrelated keys
>>> that happen to have the same purported ID.
>> 
>> No, that is also wrong, as it implies that anything is trusted 
>> unless otherwise stated. A malicious actor can claim it is 
>> verified all he/she wants (simply removing the disclaimer).
> 
> Um, did you reply to the wrong paragraph? I did mention
> disclaimers elsewhere, but only in passing (and tongue in cheek).
> My argument is that we shouldn't be displaying unverified
> information at all.
> 
>> The user's default position NEEDS to be that nothing is verified
>>  until it is done locally or by an explicitly trusted third 
>> party.
> 
> Absolutely. None of this is an argument against users having to do 
> things right. But the way to get users to do things right is to 
> train them to do things right from the start - and you do that by 
> railroading them down the straight and narrow and not even have the
> option to do it any other way. That way, if the opportunity to do
> it wrong arises in the future their first instinct will be "this
> isn't how it's supposed to happen". If you can't train people
> personally, you have to write your software so that the software
> trains them.
> 
Why?  Ultimately are we not all responsible for our own actions?
People should be required to make some effort.

> WhatsApp gets the UX *very nearly* right. And since everyone and 
> his dog now uses it that's the new baseline. If it's easier to do 
> it wrong than in WhatsApp, it's broken. If it's harder to 
> understand than WhatsApp, it's broken. If you have to read more 
> instructions than WhatsApp, it's broken.
> 
WhatsApp controls the key material.  *Seems* safe so far but who
knows.  I personally would never put anything truly confidential over
WhatsApp.  And actually people are supposed to verify that they are
messaging who they think they are messaging by doing a comparison of
fingerprints or ids or whatever they are called.  I only message one
person with it so it's been a while since I've had to do it.  But I am
willing to bet lots of users don't do that verification step.  It's a
good UX but not perfect.  Same goes for GPG in my opinion.  It's good
but not perfect.  It never will be and I don't believe any (security)
software will ever have a perfect mix of features for all users and
use cases out of the "box"

> It's no good implementing something correctly if it can be applied 
> incorrectly. Murphy's Law applies.
> 
I don't want my software or its developers acting like my big brother!

>> being able to browse the keyserver directly is too useful for 
>> debugging to completely remove
> 
> Indeed, but is it necessary to display the untrustworthy user-ID
> on signatures? The fingerprint should be sufficient.
> 
> 
> 
> _______________________________________________ Gnupg-users mailing
> list Gnupg-users at gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

Best Regards,
Duane

- -- 
Duane Whitty
duane at nofroth.com
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJZykjZAAoJEOJfpr8UVxtkeY4IAKL6A0KqGm85yzSrEh6Stj5z
sC86fbEtP/xXkrbYdUDVfkEYuj3AqkNL+E4AaJXO0xT8limk4COMRwl8346V9J7O
dzNIjdHAXU0iGrIBxj+CWILyY4qxTnmDar9ef+7lKxFAbJ8pUBJVxzeh0Ci2Al2L
hYXhWBrCyjqHqbMmAB/JaUBJy4BTCHNAFy704rblB2ZbqKAqbQpaTP+Jx14HWCQG
saSZn8qZwbiAnVcX4vUzssOi5Ls81eEU4W5GPGOqw7u5CvyadgXuJB8578B3qjHH
I9JQAIom6xrw3V8USwqsBCO4W9v3+C3fcT1WXivOJsZbKqJDRodjtBrxvKuI1/k=
=oYMp
-----END PGP SIGNATURE-----