UI terminology for calculated validities

Gabriel Niebler gabriel.niebler at gmail.com
Fri Apr 25 00:19:12 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Peter Lebbing has thankfully pointed out that, out of my two
suggestions, "authenticity" is the word that should be preferred.
I agree with him on this, so I shall use that word here.

> A key on my keyring is "valid" if it is not expired or revoked and
> it bears one signature from one of my keys, or several signatures
> from other keys to which I have granted marginal authority to
> validate keys.

Yes, this is understood.
I believe, however, that the above statement would be easier to grasp
for novices if it were modified thus:
"""
A key on my keyring is "valid" if it is not expired or revoked.
It is "authentic" if it bears one signature from one of my keys, or
several signatures from other keys to which I have granted marginal
authority to authenticate keys.
"""
This way, the word "valid" in the first sentence - for which a clear
technical definition is given - still means what a novice user would
expect it to mean, based on common usage. The word "authentic" in the
second sentence is also defined in clear, technical terms, its meaning
is also pretty much what one would expect.

> "Valid" in this context means that my copy of GnuPG will accept it
> as an encryption key. It is not necessarily related to the
> purported identity of the person or persons who are thought to have
> access to the corresponding private key. (I may, for example,
> locally sign a key that works for exchanging with a particular
> email address. That does not mean I have any clue who controls that
> key or that email address.)

That is true, but one could also use the word "authentic" in this
case. I can consider some given key with some pseudonymous UserID
"authentic", because I know that it works to communicate with this
email address, whether I know the real identity behind the address or
not. I note this "authenticity" to myself by a local signature on the
key. GnuPG will only accept encryption keys that are both "valid" and
"authentic". It all works and the meaning is a little clearer, IMO.

>> Technically inclined people have a second association with the
>> word "valid", (...), which naturally translates to (...)and,
>> again, does NOT translate to the question of the key holder's
>> true identity. (...)

"True identity" was perhaps not the best turn of phrase to use, while
trying not to repeat myself. I should have written "does NOT translate
to the question whether the entity/entities controlling the key is/are
indeed the one(s) represented by the UserID(s)".
And I maintain that this is true for the second common usage of the
word "valid" (as in XML etc.)

> What is somebody's "true" identity? Many (or even most) people
> have more than one identity, some long-lasting and others
> ephemeral. A professional versus a personal identity. Multiple
> social identities depending on context. A professional identity in
> each of several occupations, either simultaneously or changing over
> time. The name on their birth certificate versus the name by which
> they are actually known. Etc.

As far as keys are concerned it all boils down to the association
between private key and UserID. This is understood.

>> What makes it worse is that in the above examples, i.e. the cases
>> people are familiar with, validity can usually be determined from
>> the document itself (here that would be the key), or at worst the
>> system that works with the document (here that would be GnuPG),
>> but neither is the case with key ownership.
> 
> GnuPG *can* inspect the signatures present on a key to determine 
> validity.

Yes, but only if the user has already begun to build their WoT. It has
been pointed out by other people in this same thread, that
a) this will usually never be the case for novice users (unless the
first thing they do is to maximally trust e.g. pgpca at ct.heise.de and
they may be better advised to start by comparing fingerprints off-band
with acquaintances) and
b) some, maybe many, perhaps even most users may never get to the
point of having a WoT large enough to be useful for this calculation.

So as it is now, a new user finds they must (basically always)
establish a keys "validity" themselves, when the expectation is that
GnuPG should know whether a given key is "valid". This may frustrate
some. (Real life examples are described by other people in the thread)

Instead, if we used "validity" for expiration/revocation status, then
we can explain "GnuPG always knows whether a given key is 'valid'* -
as you would expect. It (usually) can't tell whether the key is
'authentic', though. You need to check that and tell GnuPG by making a
signature." This is very easy to explain and understand, because it
gels with people's expectations.

And once new users have grasped this, they can be told that "GnuPG
*can* inspect the signatures present on a key to determine
authenticity." (This sentence could start the very next paragraph, or
could be under "advanced topics") And then we explain the whole
concept of the WoT.

> Validity does not equate to ownership or identity.

And neither does authenticity. Terms used in GnuPG _are_ technical
terms and connotations will only get one so far. But at least the
connotations can get one thinking in the right direction.

>> Simply put, the word "validity" already means something to most
>> people, but it was taken and redefined to mean something else in
>> the context of asymmetric encryption keys
> 
> No it was not. The key is "valid" by virtue of the signatures it 
> carries. It is a simple mechanism.

Yes, it is a simple mechanism and the aim is not to change it.
But why not say "The key is 'authentic' by virtue of the signatures it
carries. It is 'valid' if it has not expired or been revoked."?

>> - it's a bit like making a calculator and using the '+' sign for
>> multiplication: it will do the correct thing and it's all in the
>> manual, but it's still horribly confusing.
> 
> Validity is just counting the relevant signatures. It only becomes 
> confusing when you consider the meaning of those signatures.

In normal life, it is "authenticity", not "validity" that is
established by signatures.

A passport is authentic if the information contained in it (the
bearer's UserID, to to speak) is correct, as witnessed by the
signature of some official. The passport is valid if it has not
expired or been marked/stamped/made invalid (i.e. revoked).
The analogy is very clear.

The question of "the meaning of signatures" is a different kettle of
fish altogether and - yes - may also give rise to (a different kind
of) confusion. That's not the topic of debate here.

>> Therefore, I propose that the word "validity" is not chosen well
>> for what it now means in GnuPG, because it carries with it
>> connotations that are quite different from the intended meaning,
>> which is confusing. And thus a better, clearer word should be
>> found and used in future. Which word is obviously a matter for
>> debate.
> 
> I disagree. Validity in GnuPG is a perfectly clear descriptive
> name for a simple, mechanistic concept.

And "Authenticity" is an equally clear and additionally _intuitive_
descriptive name for the same simple, mechanistic concept.
"Validity" naturally lends itself to the combination of
expiration/revokation status, and should be used for that (if at all).

>> Ad (a): A user wants to know whether the key they obtained is
>> really _owned_ by the person whose UserID(s) came with it.
> 
> Once the user establishes the question of
> ownership/identity/control, they *could* then choose to validate
> the key by signing it. But the choice is theirs alone: simply
> knowing does not make their copy of GnuPG accept the key as
> "valid."

Obviously, no argument here. My knowledge who really controls a key
would not make it "authentic" to GnuPG any more than it makes it
"valid" now. Signatures are still required, this is well understood.

>> My government issued passport is authentic and I own it,
> 
> Mine says it remains the property of the government and may be 
> withdrawn at any time. So whoever uses the passport when they
> travel, it is never the owner.

Yes, I know. That's why official jargon uses the word "bearer". This
is a technicality, though, I "own" it in the sense that is _my_
passport. A thief who stole it from me does not "own" it even in that
sense, they merely possess it.
"Ownership" is not such a good replacement for "validity" anyway, as
stated in the beginning, so this is somewhat off topic now.

Best
 gabe


* Yes, GnuPG's information for determining "validity" in terms of
revocation/expiration may be out of date. The key may have been
revoked - thus be invalid - and GnuPG hasn't downloaded the revocation
certificate yet. Or the key's expiration date may have been set to a
later date, so it's still valid, but my GnuPG does not know this. This
is beside the point, though, the intuitive understanding of "validity"
in this context is still correct.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJTWY3fAAoJEO7XEikU4kSz1lEIAK+jnPGbbOcuIJ3qogHotcFs
uI5e601Honfbo32TDmxYLRIZdZzGb4HtAQ8qS/oJKj47iYbaK6hDHlof6/HiJLrK
zGWuew1f9DCT2pkdlvGrAA6B074s3sCOK9ZM/C/eb6+WrOqhcIrO1P2aJPtHFP2l
/e46Df6RF40kEl14IFFl8lNhyfmpgwOdvMH8okIPjZ+vdHgpBUa7d4tfyxmFdL7D
1IQpicfv1lVf59Bjk5R7qF7bTpvxkuXPA2zYJx3CVC33Un58MpYIzn3MAARFJzqw
oRR5i/cRygA5zygi1vYZ5hJD//j/vLWD5KkvQYvkApNria1NQTtcYzYotmTvcKE=
=qchO
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list