[Users] [Bug 3314] user can't see validity of gpg signatures
noreply at thewildbeast.co.uk
noreply at thewildbeast.co.uk
Wed Oct 29 17:58:18 CET 2014
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3314
--- Comment #6 from HW42 <hw42-claws-mail at ipsumj.de> ---
> It's not the validity of the signature that you're seeing, it's the
> validity of the UID. A signature is either good or bad, a UID has
> validity. The owner has "trust". You are confusing the terms and using
> them as if they are interchangeable. They are not.
Yes "good/bad signature" and "validity" and "(owner-)trust" have
different meanings in gpg.
Sorry if my formulation was unclear.
My point is that it is critical to the user to see if the uid of the key
which created a "good signature" is valid.
> How is this "critical"? If you're verifying a downloaded software
> package, e.g. the Claws Mail tarballs, or verifying a signature on a
> message, e.g. the Claws Mail release announcements, would you not trust
> them? Do you never trust a signature unless you've signed the key?
There are two possibilities.
Either I have a keyring which contains only trusted keys. For example
the debian-keyring (here I mean "trusted" in the sense of I trust them
to sign packages. uid's are ignored here).
Or the other possibility is that I know via my Web-of-Trust (i.e. I have
personally signed the key, or somebody I trust (i.e. owner-trust) have
signed it, or you manually verify longer certification chains) that the
uid belongs to the key.
In your "normal" keyring you always import potentially untrusted keys
when you fetch them from a keyserver.
It's critical since else way I could simply upload the attached fake key
to a keyserver (obviuosly without the warning in the uid) and publish a
fake release of claws-mail. When somebody now reads the release message
hey sees "key 0x654CECFF not available" and therefore download it from
the key server. Now claws-mail states "Good signature from Paul ...".
Unless he clicks on the "full information" he has no indication that
something is wrong.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Users
mailing list