On 17.04.15 09:38, Rainer Blome wrote: > This is a serious usability issue. > For me as well as for at least one other person that I > communicated with, the error message pops up every time > Thunderbird tries to autosave, which by default is every > five minutes (unless we set the "owner trust" to "ultimate"). > In Thunderbird, automatic saving of drafts is enabled by > default, as far as I know (default of "mail.compose.autosave" > is true). > > For the record: I have configured Thunderbird to routinely > send a BCC to myself. > Maybe that is playing a role here, but I don't think so. > > I expect Enigmail to be usable by "mom and pop". > Even the improved error message does not help "mom and pop" > enough to understand and solve the problem. > > According to a previos list mail, the 1.8.2 message reads: > "'[email protected]' cannot be matched to a valid, not expired OpenPGP > key. Please ensure that you have a valid OpenPGP key." > > What exactly does "valid" mean here?
Valid is the calculated validity of GnuPG. See our (or other)
documentation (link at the end of this message).
> In the key management dialogue, or rather,
> in the key properties dialogue,
> what do "valid" and "invalid" keys look like?
There's a column named "validity". You can sort all keys according to
"validity".
> The only way known to me to satisfy Enigmail/GPG is
> to set the "owner trust" ("How much do you trust the owner of
> the key to sign other keys properly?") for my own key to
> "ultimate" (German: "absolut"). (Are there other ways?)
No.
> If I do this, the value of "Key Validity" (German:
> "Schlüsselgültigkeit") changes from "unknown" (German: "unbekannt")
> to "valid" (German: "absolut"). Setting any other "owner trust"
> value sets the validity to "unknown" (German: "unbekannt").
>
> This coupling of values is surprising to me.
> Why should the trust I extend to a key signer affect the
> validity of their key?
In fact this is not known for many beginners. In this special case, you
trust the certification of yourself for YOUR key. This is the root of
all trust, regarding your installation.
Owner trust is automatically set to "ultimate" during key generation.
However, when ex- and importing, this trust value is not included in
your key file. It seems to be a quite common problem.
> Note in particular that the description of "owner trust" as a
> "signing trust" cited above does not talk about the validity
> of the key itself or about any trust in the key itself.
> If particular "signing trust" values imply assumptions about
> the key itself, that should be made obvious,
> at least with a link to a thorough explanation.
>
> Someone who does not want to use the "web of trust" concept,
> or does not even know about it,
> should not have to worry about "trust in key signers" at all.
> I assume that the concept is not technically required to
> make the encryption and signing work securely.
> Can someone confirm this?
You can ignore owner trust for foreign keys if you have verified the
keys for all your contacts. But you cannot ignore the trust in your own
certifications. In real life, if you don't recognise your own signature,
how valid are the contracts you have signed? You'd surely say that this
is the signature of a stranger...
> As far as I remember, setting trust for my own key
> was not necessary before Enigmail 1.8.
> Can anyone confirm this?
> I may very well be wrong, but a friend of mine had the same
> issue, as far as I know.
Before 1.8, Enigmail had a setting "Trust the keys of all recipients"
which was activated probably for a very large percentage of
installations. This setting told GnuPG to regard every key in your
keyring valid, including your own. Now this setting is gone, and I'm
very glad about it, as it covered essential problems in your
installation in a very clumsy way, leading to security problems far
worse than this usability issue here.
> PS: Further, I do not understand why I have to *set* validity
> of and trust in my own key. I do trust my key, from its
> creation, and this should be the default.
Yes, but your machine doesn't seem to know about it (any more), so you
have to say that this key is yours by putting "ultimate" owner trust it.
Usually this is the ONLY key with this setting in your keyring.
> This is possibly not an Enigmail issue.
> The lack of validity and trust may be due to the way I used to
> import my key, which I do not remember exactly.
Ah, here we have the culprit. Trust is not included in ex- and imported
keys, see above.
Ludwig
P.S. You might want to read the handbook
(https://www.enigmail.net/documentation/Enigmail_Handbook_1.8_en.pdf),
chapter 3.4 and following.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
