GNOME Bugzilla – Bug 571688
a key shouldn't be trusted if it isn't signed
Last modified: 2009-08-24 23:33:33 UTC
This bug has been reported here: https://bugs.launchpad.net/ubuntu/+source/seahorse/+bug/328735 Seahorse allows to trust a key even if it isn't already signed. I think this is misleading. I think that when you want to sign a key a window should be opened to sign the key and then another windows should be opened to trust that key. Anyway the user should be able to trust the key also in a second moment. If the user doesn't sign the key the trust function shouldn't be available. Other information: I know that trusting and signing are technically two separate processes, but I also say that from a logical point of view trusting should follow signing, that is I should assign a trust judgement to key (that is to person) that I know that are valid (that is the owner of that key is the person that I think he should be). The only reason I see to let the user to trust a key without signing it is related to a scenario in which the user (owner of the keyring) wants to assign trust judgements to people that he knows using the keys that are related to these people regardless to the fact that these key are really valid or not. That is collecting a sort of people trust list. In this scenario however that "dangerous" thing is that if the user discovers that a key isn't valid he should delete it but doing this he should also delete the trust judgement to that person; to the other side, in order to preserve trust judgement, he shouldn't delete the key once discovered that it isn't valid, but doing this he should have in his keyrings not valid keys in which either keys not yet checked for validity or keys already checked for validity (but not deleted) should cohabit togheter. I think actual situation is misleading for the user and not very useful.
We could change the ui, but gpg allows you to set trust without signing a key to mark it valid. It might be a good idea when the sign is triggered from the context menu to prompt for trust after that.
I agree that you can trust a key without signing. Anyway, the current situation is misleading, as "trusting" a key is acutally a misleading term. When you "trust" a key, you acutally set owner-trust, meaning, you trust the key owner's ability to assure other people's identity. From http://www.gnupg.org/documentation/faqs.en.html#q4.7 : <citation> 4.7) What are trust, validity and ownertrust? With GnuPG, the term "ownertrust" is used instead of "trust" to help clarify that this is the value you have assigned to a key to express how much you trust the owner of this key to correctly sign (and thereby introduce) other keys. The "validity", or calculated trust, is a value which indicates how much GnuPG considers a key as being valid (that it really belongs to the one who claims to be the owner of the key). For more information on trust values see the chapter "The Web of Trust" in The GNU Privacy Handbook </citation> You can change ownertrust, of a key, which is only affecting other keys signed by that key. You can sign a key, and therefore affecting the key directly. If you sign a key, the signed key becomes "valid" in case your own key has owner-trust "absolute" (mostly). From the reporter's original bug report @ https://bugs.launchpad.net/ubuntu/+source/seahorse/+bug/328735 : <citation> If I have a key under "collected keys" and I check, in the trust tab of the key property, the option "I have verified that this key owns to <<...................>>" the key is put immediately in the "trusted keys". I think it's wrong as I haven't signed the key yet. </citation> The misleading fact in seahorse is therefore that the register tag is called "trusted keys", showing all keys with ownertrust set, but they don't need to be valid to be in there!!! A user should only trust the key itself if it is valid from a web of trust PoV. Proposed resolution: Insert another tab "valid keys", or don't let owner-trusted non-valid keys show in "trusted keys".
If you want to make a key valid, even though it's not singed by people you know, you can only sign it yourself (using lsign). Signing it with sign or tsign is meaning that you assert the keyowner's identity and that the key in question is his real key.
Markus, I think instead of adding another tab we can propose to only rename the "trusted keys" tab to just "valid keys" that should be, as I already sayd, the keys that are signed by the user (I mean not by the key owner). Then, inside this tab the user could read the trust level (that is the trust level of the key owner). Obviously, as I already sayd, the trusting level setting should follow the key signing process regardless the fact that gpg permits to trust a key without having signed it before.
In 2.27 the Trusted Keys tab was removed.