[Enigmail] Resignation (was Re: enigmail test)

Graham gct3 at blueyonder.co.uk
Fri Feb 22 05:14:31 PST 2008 

On Fri, 22 Feb 2008 09:35:03 +0100
Olav Seyfarth <olav at mozilla-enigmail.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Matt,
> 
> > Can anyone verify that I've verified the Enigmail download
> > correctly?
> 
> you verified the package as intended.
> 
> > Terminal returned the following when I used Enigmail to verify
> > itself from Thunderbird, if you know what I mean...
> > 
> >> gpg: Signature made Thu Jan  3 08:40:20 2008 PST using DSA key ID
> >> 9369CDF3 gpg: Good signature from "Patrick Brunschwig (Enigmail
> >> sig)
> 
> => Integrity OK.
> 
> >> gpg: WARNING: This key is not certified with a trusted signature!
> >> gpg:          There is no indication that the signature belongs to
> >> the owner.
> >> Primary key fingerprint: 10B2 E4A0 E718 BB1B 2791  DAC4 F040 E41B
> >> 9369 CDF3
> > 
> > According to the website, the second line confirms all is well, but
> > then why the third and fourth lines' WARNING etc.?
> 
> Long:
> 
> It says that YOU did not tell "GnuPG" to trust the key the package is
> signed with. Imagine me as a man-in-the-middle. Then I could have
> - - created a key with the name of Patrick and uploaded it to the
> keyservers
> - - modified the website (on the server or in transit) to point to my
> key
> 
> If you now download, you'll also get a "Good signature from Patrick"
> because all Enigmail/GnuPG can do is to check the integrity of the
> message. There is no way for any program to tell whether the key
> belongs to the real Patrick, even Patrick could be an alias that he
> used for years.
> 
> Short:
> 
> the warning is just about the missing link between the UID claim
> and the real world. If you *really* want to know, visit him in Zurich
> and verify his ID card with your own eyes. ;-) After that, you may
> certify ("sign") his key with yours. Now the Warning is gone.
> 
> Advanced:
> 
> If you then republish his (now-also-signed-by-you-) key to the
> keyservers, other OpenPGP users that certified your key and *trust*
> it may also get a valid verification (without warning) since there
> now is a "trust chain". Ultimately this leads to a "web of trust".
> 
> Mind to distinguish "certification" (aka key signing) and "trust" (aka
> owner-trust). The first is written to the public key certified (and
> imported by keyservers if key is sent to them and it was not a
> local-only signature), the latter is stored separately (local only)
> in a "trust DB".
> 
> The value that decides whether to display the above warning is the
> "calculated trust" which is a function of certification level and
> owner trust. There are multiple trust models and settings that
> influence how this is calculated.
> 
> A classic example is a message signed by a key which in turn is
> certified by your own (ultimetely trusted) key.
> 
> > Be gentle, obviously I'm an utter noob...
> 
> That's what this list is for: asking questions. Your questions will
> get more complicated to answer over time ;-)
> 
> Olav
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (MingW32)
> Comment: Diese ist eine Digitale Signatur nach OpenPGP-Standard
> Comment: Weitere Informationen: http://privat.seyfarth.de/olav/
> 
> iJwEAQECAAYFAke+iTMACgkQ/dJ0ek5GOmqGlgP9FRYHAQpODCUmEP0K4JYd7jHr
> ay/gO6eJZbaVvJqqW7x4bF4aGSWmHY5KixCIXTIIYxa3UlKrpJ7yKD0/jcCyGKjh
> gMuRXlEPHVnMwGiR6ZXNa7dhRyVLTnwZ4N5f2cLMiaLkXGRU+DAQFvhZVi+OxijA
> zl6PXvC/eqQi9LeTfdo=
> =uDdB
> -----END PGP SIGNATURE-----
> _______________________________________________
> Enigmail mailing list
> Enigmail at mozdev.org
> https://www.mozdev.org/mailman/listinfo/enigmail

I have made the point over recent weeks that I do not consider this
list the correct place to check signatures or encryption, as these are
matters which relate to GPG, not Enigmail.  The Moderators of this list
have said that I am probably correct, but that they would rather do
this than frightening newbie members away.

I profoundly disagree and I believe this list should be reserved for
Enigmail queries and problems, and not those involving GPG.
Furthermore, I believe postings relating to "Enigmail Test" as an
example should be bounced back to the sender with a note that goes
something like this: "Enigmail is a GUI front end for use with the
Thunderbird email program and Gpg (or gnupg).  Your request to verify
your test of Enigmail is a request which should more properly made of
the gnupg-users mailing group and not this one.  Your posting is
therefore being bounced back and will not be accepted unless it relates
to Enigmail ONLY and not any other program."

The Moderators disagree with me, and since we have had a plethora of
postings recently which asked for help in verifying GnuPG were
correct, and which were not bounced, I am left in the position of
having to accept the Moderators' decision, or having to make a
principled stand.  Too often I consider this list is bedevilled by what
posters see as a fault of GnuPG, not of Enigmail.

Under those circumstances feel I must resign from this list, and I hope
others will understand my decision.
-- 

Graham

More information about the Enigmail mailing list