In a thread over on [email protected], i did a little thinking about the UI/UX for cleartext signature verification in e-mail clients.
A thought experiment about clearsigned messages follows; i'd be happy to
hear feedback.
* For cleartext messages, what if enigmail treated a bad signature and
no signature in exactly the same way, from the receiving user's
perspective?
There are two ways this could be done:
0) for broken signatures, simply show no indication that enigmail
ever thought there might have been a signature on the message
1) for all unsigned messages, and for all messages with broken
signatures, always show a simple, passive enigmail header that
says "this message had no valid signature"
The rationale that lead me to this thought experiment is:
a) many MTAs can accidentally break signatures due to a variety of
reasons (line-wrapping, re-encoding, filtering, markup, etc)
b) it is trivial for any MTA that wants to *deliberately* break a
signature to do so.
c) it is trivial for a malicious MTA to modify an unsigned message so
that it looks like it has a broken signature from anyone it wants.
d) most users are not prepared to debug or repair failed signatures in
any way. At best, they can forward the message to someone with more
skill who can look into it further.
e) from an end-user perspective, a broken signature is actually not
much different than no signature at all. why highlight the
difference?
What do you think?
--dkg
PS the above proposal is not intended to address anything about
signed+encrypted messages; cleartext messages only.
PPS i believe the above proposal is independent of the inline PGP
vs. PGP/MIME question. If we can avoid this thread getting bogged
down in inline-vs-PGP/MIME, that would be lovely.
PPPS as a software developer, a debugger, and someone who likes to look
at the internals of things, i find this proposal horrifying.
However, as someone who cares about the sanity of non-technical
users, i'm not sure how to justify inflicting the "BAD SIGNATURE"
UI/UX on them when there's not much they can do about it.
signature.asc
Description: PGP signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
