[Enigmail] On Signatures, Part II

Jan Steffen steffenjan at web.de
Fri Dec 14 05:59:03 PST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Robert J. Hansen wrote:
> In Part I a proof structure was drawn showing that there is no
> informational content to be found in a bad signature.  Here we will draw
> a (looser) proof structure showing there is no informational content to
> be found in an untrusted signature.
> 


[cut a long and complicated description that the concept of the
Wob-of-Trust is difficult to grasp]


> In the absence of a validated key, there is absolutely no reason to
> believe any of those over the others.  You cannot distinguish between
> the various cases except by guessing and hoping you're right.  That
> means an untrusted good signature cannot assert the provenance of a message.
> 
> Which means an untrusted good signature really isn't much of a signature
> at all, and we should really think about whether we wish to use language
> (like "good signature") which implies otherwise.
>
> For this reason, key validity--which is to say, introducing a new fact
> into the domain of discourse which connects a certificate with a
> person--is a necessary precondition to the signature having
> informational value.
>
> No validity?  No informational value.  No informational value?  Then
> it's noise.

Untrusted signature means that the message was signed, but you don't
know by whom.
The solution is to contact the sender and exchange his fingerprint on a
secure way or ask him to go to a key-signing-party.
This is indeed a concept which is difficult to grasp for most users.
But it doesn't mean that a untrusted sig has no information.

I agree with you that all that could be made easier to grasp for the
normal user. But just hiding all information that a user /might/ not
fully understand is the wrong way IMO.

One main problem are the different meanings of "trust":
Trust that a key really belongs to someone.
Trust that someone only signs other keys after careful ID-checking.
Trust in a person being "Good guy".

Jan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHYowmSa1Uad4+pFcRCOl5AKCSPBCzSGBhYpImd+Wh3+Q7IRoT9QCeKPfp
3bDPtlN0IbNT70wcajyWdHc=
=cl5c
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list