On Tue, Jan 07, 2014 at 01:17:12PM -0500, Ted Unangst wrote: > On Tue, Jan 07, 2014 at 16:54, Christian Weisgerber wrote: > > Ted Unangst <t...@tedunangst.com> wrote: > > > >> To that end, I think the comment should be marked as untrusted, and > >> signify should even check that it says untrusted. Hopefully this makes > >> it a little harder to con somebody into believing the comment actually > >> should be trusted. > > > > I think somebody who can be conned into accepting a key will not > > understand or think about "untrusted comment". > > hmm. > 1. people who don't trust strangers. we don't need to protect them. > 2. people who do trust strangers. we can't protect them. > 3. people who are initially suspicious, but have a mistaken belief > that they can spot mischief. maybe they will be fooled regardless, but > I don't want to provide anything that can be used as leverage against > them. > > > > >> (I'm also open to reconsidering whether keys should include > >> identifiers. Perhaps a random id created during key generation? Just > >> enough to say "you're using the wrong key.") > > > > I'm in favor. > > Here's a diff with that too. I print out the fingerprints after a > mismatch, but the fingerprints are in the opaque part of the file, so > I'm not sure how useful that is. At least it provides a hint to check > the command line arguments.
I think the fingerprint mismatch error message is too technical. errx(1, "Signature failed: checked against the wrong key"); looks like enough for me. Apart from that, I'm okay with that code. If you want to display fingerprints, well, you have to make it possible to display fingerprints for any key-like message. Not that it's much code, but is it really necessary ?
