Have to ultimately trust a key to sign for it
OpenPGP addon for Mozilla Thunderbird
Brought to you by:
pbrunschwig
Menu
▾
▴
#400 Have to ultimately trust a key to sign for it
I introduced someone to GnuPG, GPG4Win and Kleopatra today. They verified my key and set trust to "Full" which is the highest level in Kleopatra. Then they tried to email me using Enigmail&Thunderbird, latest versions.
However, encryption FAILED as the key was not trusted "enough". How is trusting it "fully" not enough? It worked when we set the trust level to "ultimate" in Enigmail, but it does not help that "Full trust" is not enough. There is no difference from a user's perspective between FULL and ULTIMATE.
I just explained this a minute ago - please see bug 399 [bugs:#399]
Related
Bugs:
#399I do not see how this is a duplicate. It must be possible to sign an email even if the key is untrusted. After all, it is even possible to sign for an email that does not match the key's identities.
The way it behaves right now is almost impossible to explain to even a tech-savy person.
I would like to add my vote to this bug - it should be possible to send an email to a key you don't want to mark as trusted.
Please reopen.
On Thu 2015-02-05 15:02:54 -0500, Martin Häcker wrote:
It is possible. You need to sign the key to indicate that you believe
it is valid. If you don't want that OpenPGP certification ever to be
published, you should make sure you make it a "local" or
"non-exportable" signature. This should all be doable from enigmail
directly.
I am not sure I get you right, because from what I understand this would be a dangerous way to encode that information inline with 'I have tested this signature in a way that I trust, but which I never want to make public'. I think the two things are and should be something different.
If thats the case, sending a mail to someone without a signature should definitely be possible.
On Thu 2015-02-05 17:32:07 -0500, Martin Häcker wrote:
It's not clear to me which two things you think should be different, but
there are (at least) two distinct things we're talking about here..
The signature on someone's key (an "OpenPGP certification") is distinct
from a signature on an e-mail (a "message signature").
The recipient of your e-mail never sees whether you have certified their
key or not. They just see your message (which may be signed, or may not
be signed).
GnuPG needs to know which key you believe is correctly associated with a
target e-mail address.
The way it knows is that it relies on certifications made by your secret
key (upon which you have bestowed ultimate ownertrust).
To make such a certification on a key in enigmail, you need to take the
action that enigmail calls "Sign Key". Those certifications can either
be exportable (the default) or they can be "local", which means that you
will not be able to upload them to the public keyservers.
Once you have made such a certification (either "local" or exportble),
Enigmail will know (because GnuPG knows) that you believe that key and
that e-mail address belong together, so enigmail will be happy to
encrypt mail addressed to that address to that key.
Does this make sense?
Well, I think what this boils down to this:
If I want to do a 'trust on first use' strategy, then I have to encode this trust by an explicit action by creating a local signature that has the 'I won't tell how I checked' or 'I didn't check at all' setting.
Then later when I checked the identity of the key, I can create another local signature with the 'I have checked thoroughly' setting.
I have just tested this and I don't think this actually works very well.
The problem is that if there is any signature from my key (owner trust) to someone else key, even if it has the 'I won't tell how I checked the signature' trust level, the signature looks valid with the text "Good signature from XXX" on green background.
If I set the trust level of that keys signature to 'I didn't check' then email signature check displays the text "UNTRUSTED Good signature from XXXX" on light blue background. Same for the 'sloppy check' level with "UNTRUSTED Good signature from XXXX"
I really think that the user interface should consider an unsigned key the same as a key on which I have created a signature with the 'I won't tell if I checked' level and that that key and therefore a) allow to send this email with that key if the emails addresses match and b) should show that information better in the verification display area with instructions on how to change that.
Right now, not only is it impossible to quickly see this trust level reliably, but also setting it requires knowing that from the 'details' popup menu 'sign senders key' is the right option to increase the trust and not the "set owners trust of senders key" which sounds much more applicable but actually is an operation that you probably never want choose from your email client.
This boils down to that I think there should be much better support in the UI of enigma to allow the high level strategy of trust on first use for new keys by treating them like keys signed with the 'I don't tell how I checked this' trust level. Also better and accurate support of showing the actual trust level to keys plus a better visibility of the 'change trust level' functionality (signing a key with a specific trust level) while decreasing visibility of the 'set owner trust functionality' would be very beneficial.