Patrick Brunschwig: > dkg and I discussed when and how the result of verifying a signed mail > should be displayed. We came up with the following solution, that I want > to implement in Enigmail. > > > We *only* display signature information if *all* of the following > conditions are satisfied: > > A. The signature could be verified successfully > B. Email date and signature date are "close" [1] to each other, and > both dates are in the "past" or in the near future [2] > C. The signing key is associated with the From: address of the email > via any of: valid UID, per-recipient rule, Autocrypt peer-state > D. If the signing (sub-)key is revoked: > - the signing (sub-)key must not be revoked with reasons other > than "superseded". > - if the revocation reason was "superseded" then the date of the > revocation must be after then signing date. > E. If the signing (sub-)key is expired, the expiry date must be after > the signing date > > > [1] We need to allow some delta since there is always a little gap > between the signature creation and and message sending. > > [2] We need to allow a few hours in the future, since not all mail > clients run on the exact time. > > > -Patrick
Why not display exactly what GnuPG reports concerning a signature? Leave it up to the user to make his own value judgments. -- Whitey
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
