[Enigmail] On Signatures, Part II

Phil Stracchino alaric at metrocast.net
Fri Dec 14 06:24:15 PST 2007 

Jan Steffen wrote:
> Untrusted signature means that the message was signed, but you don't
> know by whom.
> The solution is to contact the sender and exchange his fingerprint on a
> secure way or ask him to go to a key-signing-party.
> This is indeed a concept which is difficult to grasp for most users.
> But it doesn't mean that a untrusted sig has no information.
> 
> I agree with you that all that could be made easier to grasp for the
> normal user. But just hiding all information that a user /might/ not
> fully understand is the wrong way IMO.

Perhaps what's needed is some kind of an expertise-level preference that
lets the user choose how much information they want to be shown.  I'm
inclined to say it should default to showing everything with minimal
handholding, but allow an option to see more verbose explanations or to
see a simplified "novice" view.

"This message is signed with a key belonging to XXXXXX that you already
know and have marked as trusted, and has not been altered since signing."
"This message appears to be unaltered since signature.  The key it was
signed with is previously unknown to you, but the signing key carries a
signature from another key belonging to YYYYYY, that you already know
and have marked as trusted."
"This message appears to be unaltered since signature, but was signed
with a key that you haven't previously seen.  The trust level of the
signing key is unknown."
"This message does not match its signature.  It may have been
intentionally altered by someone other than the sender, or a problem may
have occurred during transmission."

> One main problem are the different meanings of "trust":
> Trust that a key really belongs to someone.
> Trust that someone only signs other keys after careful ID-checking.
> Trust in a person being "Good guy".
> 
> Jan

Exactly.  Terminology overloading can be a bitch sometimes.  When a term
has multiple potential meanings depending on context, it can be hard for
the uninitiated to correctly deduce which meaning is intended.



-- 
  Phil Stracchino, CDK#2         ICBM: 43.5607, -71.355
  Renaissance Man, Unix ronin, Perl hacker, Free Stater
  alaric at caerllewys.net            alaric at metrocast.net
          It's not the years, it's the mileage.

More information about the Enigmail mailing list