Re: [Evolution] New lock icon implies authentic sig

On Wed, 2001-10-24 at 10:33, Jens Lautenbacher wrote:
On Wed, 2001-10-24 at 18:40, Miles Lane wrote:
As Dan has pointed out, it would be better if
the new, smaller icon was made into several icons that differentiate
between validated and unvalidated signatures.

You don't know this before you pressed the button. 

Oh right.  

Another consideration is that the current lock icons seem to indicate
encryption, which isn't actually the case.  Almost all the messages
are not encrypted.  The digital signature only indicates that a public
key is attached. 

I suppose that you mean the right thing, but what you said is of course
wrong. A signature does not contain the pubkey. A signature says that
the signed message was signed with someones private key and if I have
the public key of this person (and know/trust that the key I have really
belongs to the person I think of) than I can validate that message as
being signed with the persons priv key and not being altered afterwards.

Thanks for clarifying that. 

The gpg man page says it supports the following key states:

       -         No ownertrust assigned / not yet  cal­

       e         Trust calculation has failed; probably
                 due to an expired key.

       q         Not enough  information  for  calcula­

       n         Never trust this key.

       m         Marginally trusted.

       f         Fully trusted.

       u         Ultimately trusted.

This indicates to me that Evolution could determine when it checks
the digital signature, whether the key is trusted or not and then
indicate that in its selection of icon to display.

It does not even indicate whether the key is trusted
or not, which is probably what most of us would really care about,
anyhow.  The current icons indicate whether a key is a valid key,
not a trusted key.

The "trusting" belongs to the public key which you have to get by other
means (gnupg tries to automatically fetch the right public key belonging
to the private key used to sign the message from a keyserver, but then
of course you still have to trust that the key you just fetched really
belongs to the actual person). The secure way is to exchange by a safe
line (personal meeting) the "checksum" of the key with the person, so
you can be sure that you have the right public key.

Right.  Since the trusting status is recorded by GPG, I don't see
any trouble for Evolution to check that status when selecting the 
icon.  I am assuming that GPG is being used by someone who takes the
time to set up trusted keys by the methods you mention.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]