[Enigmail] Proposed policy
Robert J. Hansen
rjh at sixdemonbag.org
Tue Dec 11 09:29:32 PST 2007
A proposal for a UI guideline:
"Enigmail will call a signature 'good' if and only if the signature is
correct and the signing key is valid. Where practical, only good
signatures will be shown by default."
... The reason for this is simple: a good signature from an invalid key
is no signature at all. When a user sees "UNTRUSTED good signature from
George W. Bush <w at whitehouse.gov>", well, what are they supposed to
think? That it's a good signature? That it comes from the President?
That they shouldn't trust the President? (Okay, well, that one's just
good reasoning, but...)
Better just to say something like "The signing key is invalid." Not
'good', not 'bad'. Invalid. There's less opportunity for newbie
confusion there: it's immediately clear to the newbie that there is a
problem with the signer's key. The newbie no longer has to try to
figure out the difference between a "trusted good signature" and an
"untrusted good signature".
Compare:
"UNTRUSTED Good signature from George W. Bush <w at whitehouse.gov>"
"The key 'George W. Bush <w at whitehouse.gov>' is invalid. The signature
cannot be checked."
Imagine you're dropping a newbie down in front of those two error
messages. Ask them to describe, in their own words, what each sentence
means. Which one do you think will be closer to the actual meaning we
want to convey to them?
... And, as a side benefit, the "hide untrusted signatures on a key"
thing follows as a direct consequence of this principle. :)
More information about the Enigmail
mailing list