[Enigmail] Proposed policy

[Robert J. Hansen]

Cristian KLEIN wrote:
> I don't like this. Signatures can be bad or valid, trusted or
> untrusted. There is a very clear distinction between these two
> dimensions.

Not so clear as you seem to believe--see below.

> There is a very clear distinction between invalid (i.e.
> the message has been tampered) and untrusted (i.e. I don't know the
> trust level of this signature).

No.  The fact you're getting this wrong is evidence that it's too
complex to expect people to understand.

A signature is 'good' if and only if the mathematical transformation
specified between the hash of the message and the expanded signature
value is correct.  Otherwise it's 'bad'.

A signature is 'valid' if and only if it is a good signature coming from
a certificate which the user has validated.

A signature is 'trusted' if and only if it is a valid signature coming
from a person whom the user trusts.

For instance, I might have validated Snidely Whiplash's certificate, but
I don't trust him at all.  It would be possible to get a good, valid,
untrusted signature from him... which is really not a very good
signature at all.  The word 'good' gets overloaded in so many different
contexts here.

The language involved in signatures is far, far too complex.  GnuPG
itself talks about "keytrust" and "ownertrust" and then makes it all the
more confusing by ambiguously talking about "trust".  The upshot of it
is that just figuring out precisely what a signature is, much less what
it means, requires a level of technical knowledge we cannot expect
people to understand.

> What should a user understand from „The key is invalid?":
> * Enigmail failed to parse it.
> * The message has been tampered.
> * I don't know the key of George W. Bush.

The user should understand "for some reason, the key is unusable".
Which is exactly correct.  The user doesn't need to know more than that.
 If the key is invalid because it lacks a trusted signature, then put up
a little button next to it which says "Validate", and have that pop up a
wizard leading people through the signature process.  Whatever.

> Having such generic messages for distinct failure cases makes me feel
> like having Windoz on my computer: „The following error occured:
> unknown error."

The difference is that 'unknown error' gives absolutely no help for how
to remedy the problem.  'The key is invalid' gives quite a lot of help:
it tells you the problem is with the key and, if the problem is it needs
a trust signature, it puts up a little button allowing you to remedy the
problem right there.

> I would rather add detailed instructions to the Help menu of OpenPGP
> or perhaps more detailed messages:

You don't want detailed messages in a summary description.  You want
summaries in the summary description.  Detailed messages are for help
files, not to be displayed on the screen with every message displayed.