Hi Philip, On 15.12.13 18:43, Philip Jackson wrote: > Hi Enigmail, > > The recent discussion on the behaviour of the auto decrypt/verify button has > prompted me to check more carefully on the behaviour using the 'Details' > button > which I have found to be strange. > > First case : Thunderbird displays a yellow band with message "Part of the > message signed; click on 'Details' button for more information" > > Clicking on 'Details' button gives 3 options (the others are greyed out): > > 1. import public key : this seems to work and the imported key is immediately > displayed in Kleopatra but not in Thunderbird key manager until Thunderbird is > restarted
This is bug 75 (https://sourceforge.net/p/enigmail/bugs/75/), fixed after Enigmail 1.6 was released, will be included in the next release. > 2. 'OpenPGP Security info' this only gives a dialog box saying 'unverifed > signature' - a bit of a waste of time Would you please suggest an improved wording? What should Enigmail display instead? > 3. ' copy OpenPGP security info' - it doesn't do anything - doesn't copy > anything to windows clipboard - presumably because nothing is known. Same on Mac OS X. Should at least copy the above (improved) message. > So 2 of these 3 options are a waste of time in this case. > > Second Case : after the 'import public key' option has been used and the key > is > available in the key manager and appears to be valid but I have not yet set a > trust level nor signed the key. Then it is not "valid", using OpenPGP terminology. > Thunderbird displays a purple band with the > message 'Error - signature verification failed; click on 'Details' button for > more information.' The Details button provides 5 usable options : > > 1. 'OpenPGP security info': this gives a dialog box with 'Error - signature > verification failed' which we already knew so not very helpful. As a side note: "unverified signature" is by far not the same as "Error - signature verification failed". The first result is that for some reason (such as missing public key of the sender) no technical verification was possible. The second is that the verification was possible, but the signature was wrong, meaning that the message was modified on the way! Upon I get a light blue ribbon saying: UNTRUSTED Good signature from (...) Key ID: 0x12345678 / Signed on: date/time Key fingerprint: (...) > 2. 'copy OpenPGP security info' - it doesn't do anything - doesn't copy > anything to windows clipboard - presumably because nothing is known. I get a the same message as above in the keyboard. > 3. 'View key properties' : this doesn't do anything despite multiple tries. > (note that if the key manager is opened from OpenPGP/Key management, the > subject > imported key is visible provided that Thunderbird has been closed and > restarted > after import.) But Details button option 3 does nothing - no effect. For me, the key details dialog is displayed correctly. > 4. 'Sign sender's key' - this opens a dialog box which appears that it would > work BUT why would one wish to sign a key where 'verification has failed' ? "verification has failed" refers to the message. A key should be verified manually before you sign it. > 5. 'Set owner trust of sender's key' : this opens a dialog box where the 'Key > to > trust' field is empty (you need to open key manager or Kleopatra to find the > key > ID) - but again, on what basis would you set a trust level for an unidentified > key for which verification had failed ? > > So out of 5 options, in this case, none is really useful. > > Third case : sender's key imported, Thunderbird restarted, trust level set to > 'marginal' but sender's key not signed by me. Thunderbird displays a blue > band > with the message 'Part of the message signed; click on 'Details' button for > more > information + key ID .' The Details button provides 5 usable options that > are > the same as in the 'second case' above. > > 1. provides keyID and fingerprint but claims to be 'UNTRUSTED Good signature' > even though I set trust level to marginal. You will only get a "Trusted good signature" if you sign the key in question yourself, or if a number of other keys (signed by you) have signed the signees key. Please search for gnupg's trust model and the web of trust. > 2. works fine and does copy all info to Windows clipboard. > 3. works fine and even shows trust level correctly as marginal > 4. appears to work ok > 5. opens dialog box and correctly displays the 'key to trust' > > Fourth case : sender's key imported, Thunderbird restarted, trust level set > to > 'unknown' and sender's key signed by me. Thunderbird displays a green band > with > the message 'Part of the message signed; click on 'Details' button for more > information + key ID and date signed.' This is the case when you use an Enigmail version, where bug 75 has been fixed. You don't need to sign the senders key. > The date signed is given as today's date and the time as when the email was > first opened, I think - but I actually signed this key last October (according > to Kleopatra). The "signed on" date/time is when the signature on the email was issued, not when you signed the senders key. I get the impression that you seem to intermix signatures attached to emails with signatures of keys. > The Details button provides 5 usable options that are the same > as in the 'second case' above and all work same as in case three above. > > The only difference between third and fourth cases is the colour of the band > displayed which I assume is due to my having signed the key in case four. > > My conclusions are : > > when signatures are unknown or unverified, the options provided under the > 'Details' button could do with some refinement to make them more useful. I agree, but please make a reasonable suggestion for improvement. > Maybe the signature date provided in the colour band for green case, is not > correct ? See above. Would you please try again with a nightly build of Enigmail (with the usual precautions), as shown on https://www.enigmail.net/download/nightly.php Thanks for testing and your time! Ludwig _______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
