Re: decrypt and trusting certs



Hi Ildar:

Am 09.10.12 06:32 schrieb(en) Ildar Mulyukov:
Albrecht, I didn't mean that Balsa's Key fingerprint is wrong, I mean that Balsa's presentation of it is hostile. Compare this:
1. cmd line
	$ gpg2 --search-keys albrecht dress arcor de | grep DSA
	gpg: поиск "albrecht dress arcor de" на hkp сервере subkeys.pgp.net
	Keys 1-1 of 1 for "albrecht dress arcor de".  	  1024 bit DSA key D027FFD1, создан: 2002-04-15

2. Thunderbird: see a shot
2. seahorse: see a shot
3. Balsa: see a shot

Ah, now I understand!

The design is stolen^H^H^H^H^H^H inspired by kmail/kontact which is somehow the "reference design" of the Sphinx project by the GnuPG guys and the BSI (see screen shot).  Kmail limits the display to 16 hex digits, though.

If a user wants to verify the fingerprint by looking at it, then it is easy with Seahorse, TB and even with cmdline gpg, but not with Balsa.

Why should the fingerprint be verified?  All you need is to look at the green/yellow/red "traffic lights":

If the key is unknown (red padlock), but the message claims to come from whom you have the key, you should ask h(im|er) why the "well known" key isn't used.

If the key is unknown, and coming from someone whose key you don't have, you may want to load it from the key server.  If it has been signed by people you trust (read: whose keys you trust), the trust level in the just downloaded key will be more or less good (this is the yellow padlock case, see the explanation at <http://en.wikipedia.org/wiki/Web_of_trust> or <http://www.gnupg.org/gph/en/manual.html#AEN335>).

If you trust the person (the key) absolutely (e.g. because [s]he personally passed it to you), and you set the trust accordingly, the padlock will be green.

If someone suspects that the key has been abused, it must be revoked and the revocation must be uploaded to the key servers, so it will be invalidated (=red padlock) in the local key ring when you run 'gpg2 --refresh-keys'.

Dealing with fingerprints is cumbersome, let them be 8, 16 or 32 hex digits wide.  Thus, it's debatable whether we should show them at all.

Cheers, Albrecht.

PNG image

Attachment: pgp35ejzBOMJ0.pgp
Description: PGP signature



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]