Seahorse Trust Model revisited



Currently, the Trust tab on the properties of a public key works as
follows (proposed by Stef, then Nate):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The GPG trust model is complex. It's hard to grasp all the nuances of
it. Basically only GPG developers and GPG geeks have a chance of using
it properly. There are differing opinions of what "proper use" is. There
are even *different* trust models available for selection in GPG.

We need to make this simple enough for someone (who has a life outside
of GPG) to use. Note that I did not say 'grasp'. The user should not
have to learn a bunch of theory. We also need to remain secure and
'correct'. I put quotes around 'correct' because there are obviously
differing opinions as to correctness.

Here's my proposal. I may be missing something or have gotten something
wrong. Let's discuss it.

Cheers,
Nate



SUMMARY:

 * We initially user to verify to mark an owner trust on the key.
 * Then we encourage the user to sign the key as a method
  of indicating that trust to others.

DETAILS:

Assuming an unsigned, 'no-trust-assigned' public key, the first thing
the user sees on the 'Trust' page is a checkbox like this:

 [ ] I have verified that this key belongs to
    who it says it does.

Checking this will set the GPG Owner Trust to 'marginal'. Below that is
another checkbox which is initially disabled. By checking the above
checkbox, this becomes enabled:

 [ ] I trust signatures on other keys that are made
    by the owner of this key.

Checking this second box will set the GPG Owner Trust to 'complete'.

The other Owner Trust values (ie: 'never', and 'ultimate') are still
available for advanced users on the 'Details' tab. If an advanced user
has customized the Owner Trust (ie: by selecting 'never' or 'ultimate')
then instead of the above checkboxes, a message is displayed to that
effect (directing them to the 'Details' tab).

Once the first checkbox (described above) has been checked, and if the
user has not yet signed the key with one of his private keys, then we
put something like following message up:

To inidcate your trust of this key to others, sign it. [Sign Key]

It's important to note that the 'Sign Key' operation is also available
through other places in the UI.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEHxnXe/sRCNknZa8RAhO1AJ9eNgK6jJb8hUY07qABMrTEcGEHZQCgqBQb
Sl32j5MgSY0M5+bOnZmIcdE=
=EQQX
-----END PGP SIGNATURE-----

I no longer agree with this model and believe it's causing problems
with other programs that use GPG.  [1][2]

The first check box 'I have checked that this key belongs to '%s''
should result in a signature along with grading how carefully they
checked the papers.  Maybe a sensible default is to say they
marginally checked.

The second check box 'I trust signatures from '%s' on other keys'
should result in a marginal trust level being set on the key.

The sign button should be removed.

Comments and thoughts?

Cheers,

Adam

[1] http://mail.gnome.org/archives/seahorse-list/2008-February/msg00000.html
[2] http://bugzilla.gnome.org/show_bug.cgi?id=435278


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]