Re: [Evolution] New lock icon implies authentic sig

[Jens Lautenbacher <jtl schlund de>]

On Wed, 2001-10-24 at 18:40, Miles Lane wrote:
> As Dan has pointed out, it would be better if
> the new, smaller icon was made into several icons that differentiate
> between validated and unvalidated signatures.

You don't know this before you pressed the button. 

> Another consideration is that the current lock icons seem to indicate
> encryption, which isn't actually the case.  Almost all the messages
> are not encrypted.  The digital signature only indicates that a public
> key is attached. 

I suppose that you mean the right thing, but what you said is of course
wrong. A signature does not contain the pubkey. A signature says that
the signed message was signed with someones private key and if I have
the public key of this person (and know/trust that the key I have really
belongs to the person I think of) than I can validate that message as
being signed with the persons priv key and not being altered afterwards.

> It does not even indicate whether the key is trusted
> or not, which is probably what most of us would really care about,
> anyhow.  The current icons indicate whether a key is a valid key,
> not a trusted key.

The "trusting" belongs to the public key which you have to get by other
means (gnupg tries to automatically fetch the right public key belonging
to the private key used to sign the message from a keyserver, but then
of course you still have to trust that the key you just fetched really
belongs to the actual person). The secure way is to exchange by a safe
line (personal meeting) the "checksum" of the key with the person, so
you can be sure that you have the right public key.

        jtl