On 04/22/2014 06:50 PM, Nicolai Josuttis wrote: > me: you either can sign the key > or trust somebody else who signed the key > (such as [email protected]) > he: Oh, I even registered my email/key there > but what else is missing? > me: load the key for [email protected] > he: done, but trust is still missing > me: oh, yes, you also have to express trust for this key/owner > Then it worked ...
did he understand the other consequences of setting ownertrust for [email protected]? It's one thing to say "it worked!" but he may not understand that whoever controls the [email protected] can now trick him into believing any OpenPGP identities that they want. > That's a summary of learning step by step what has to be done > to benefit from the web-of-trust > (and BTW "he" was even an IT guy). > > BTW, the dialog would have been different > if I would have used "valid" instead of "trusted". > E.g. as follows: > me: oh, but you need valid(!) keys > he: but they are! Look, neither expired or revoked! > me: no, no, valid in the sense that you can trust them > he ah, I need to trust the keys ... Or, you could have said "you need to validate the certificates" -- i don't know exactly how the conversation would have followed from there, but you wouldn't have led him to trust a key that he is not willing to rely on for certifications. > The essence, we have to teach is: > - create a key > - and then either > - exchange the key > - and sign then key you got > (after validating the fingerprint) > or > - load the key for [email protected] > or other central "trust agencies" > - AND express trust for that key/owner > > Thus, I am really surprised that you suggest to teach "validity" > instead of "trust". i don't see how the surprise follows from the ideas above. trusting a certificate-signing authority is distinct from validating a certificate. > And I agree that "owner" make things unnecessary complicated. > I am more and more convinced that we simply always should > talk about trust: > - If I trust the key/owner that/who signs other keys, > I can trust these keys and safely use them But these are distinct concepts. conflating them by using the same word does people a disservice. --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
