[Users] gpg validity homogeneous with gpg program (plugin pgpcore)

Jean-Benoist Leger leger at crans.org
Sun Jul 8 16:52:04 CEST 2012 

Hello developers,

Firstly, since the term trust in ambiguous for gpg (and in gpg offical manual), I will use only the two following terms :

* ownertrust : the trust we have to the owner to validates key
* validity : the trust we have that the key is the real key of the person we 
  know

For the following, I will consider we use the standart PGP trust model (3 marginal ownertrust needed of 1 full ownertrust needed).

When a key have the following validity, we can say :

* unknown : nothing
* marginal : one or two key with validity>=full and ownertrust=marginal 
  have sign this key
* full: three keys with validity>=full, and ownertrust=marginal ; OR one key
  with validity>=full and ownertrust>=full

Following the PGP trust model a key with validity=marginal is NOT trusted.

This is the output of GnuPG for a signature verification made by a key with validity=marginal :

gpg: Signature made Tue Jul  3 17:27:20 2012 CEST using RSA key ID XXXXXXXX
gpg: Good signature from "Xxxxxx XXXX <xxxxxx.xxxx at example.org>"
gpg: WARNING: This key is not certified with sufficiently trusted signatures!
gpg:          It is not certain that the signature belongs to the owner.

(I have anonymized the output)

Following my remarks on the IRC channel, ticho have commited the patchset 3.8.1cvs11 on the CVS.

But there are on behavior which is problematic.

The message "(untrusted)" is displayed but the icons display a good sign.

A sign with untrusted key is not a bad sign, and this verification must not be displayed as SIGNATURE_INVALID, but a sign with untrusted key is not a perfect sign, and must not be displayed as a perfect sign (SIGNATURE_OK).

See below, the GnuPG program output "Good signature", and a WARNING. To uniformize the output of the pgpcore plugin and the output of GnuPG program I propose a (trivial) patch.

With this patch, when a signature made by a key with validity=marginal is checked, the warning icon is displayed and the message is "Good signature (untrusted) from…" this is homogeneous with the GnuPG program.

If you want debate, I would be happy to participate.

Thanks,

-- 
jben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: display_validity_marginal_as_warning.patch
Type: text/x-patch
Size: 376 bytes
Desc: not available
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20120708/dc8e7716/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20120708/dc8e7716/attachment.sig>

More information about the Users mailing list