[Enigmail] "untrusted good signature" ??

Olav Seyfarth olav at seyfarth.de
Fri Dec 31 13:50:44 EST 2004 

Hi David,

> Stupid question: what does UNTRUSTED GOOD signature mean?

THIS definitely is NOT a stupid question but the type of question
everybody should be asking really.

GOOD means that Enigmail verified that the mail content matches the
signature. Nobody tampered with the message. It reached you unmodified
and only the ones that have the SECRET key it is signed with are able
to perform that particular signature.

UNTRUSTED means that although the message matches the signature, GnuPG
cannot check whether the key belongs to the OWNER of the email address.

E.g. I could create a key with a UID containich your email address
and upload it to a public keyserver, then set up an account using your
email address as From:-address, and send you such a message.

By SIGNing a KEY, you tell GnuPG that YOU checked that the key and the
UID (email address) respectively the person that is supposed to use that
email address do match (i.e. you TRUST that KEY to be valid in terms of
that it belongs to a certain person). So, as you told GnuPG that you
trust it, Enigmail will no longer show UNTRUSTED, just GOOD.

But DID you really VERIFY that this exact key is the right one? You
MUST do so before publishing a (non-local) key signature on a keyserver!

If you did not check but rather want to get rid of the message as you
think you've enough proof that it is unlikely that it is not the right
key, then please use LOCAL signatures only (in order to avoid them being
uploaded by accident one time - that's exactly what local sigs are
designed for)!

--- start of comment ---

In respect to the trust thing, similar examples come into my mind.
But these are merely to illustrate and do not directly relate to your
above question:

- How many times have you acknowledged an SSL warning asking you that a
  certificate cannot be verified and whether you'd like to accept or not
  -- and have you not clicked "always accept" without verifying?

  => So, how much sense do these certs make then anyway?

- When installing Enigmail, Thunderbird waits 2 Seconds while asking you
  if you really want to install this UNSIGNED Extension. Did you install
  it without checking its signature that may be downloaded separately?

  => Shouldn't at least security related extensions be properly signed?

Now, even IF you tried to verify these certificates and signatures, how
shall an ordinary user know WHAT to verify and HOW?

Mozilla programs come with a set of trusted root certificates. These
certificates are commonly trusted. But how do you trust (and verify) the
Mozilla Programm incorporating these root certs when downloading it?
You could do this by using OpenSSL or GnuPG if a sig is provided, but
then you still need to trust that your GnuPG had not been tempered with
and that the key that the program has been signed with relly belongs to
a trustworthy Mozilla developer that did check the integrity of the
certs...

It all boils down to that you either don't bother (in wich case the
advises given to just (locally) sign Patricks key were good) or that you
must check the integrity of his key through other means. If you live
nearby Zurich, go and visit him, check official documents, get o copy
of his key fingerprint and ask him about Enigmail. But if everybody
would do that ...

So, you could try to establish a trust link through the web of trust:
try to create a link from someone you know personally |: that signed a
key of someone he/she knows personally :| that knows Patrick personally
and signed his key. How many hops would you still trust?

Even another way might be that he (-> all developers) have their keys
signed by one of the globally trusted CA's so you can check the validity
of his KEY (i.e. that key XY belongs to him really). But unfortunately
this involves a yearly fee - and developers like Patrick usually really
donate a lot anyway.

Now, there might (I think there really should) be a Mozilla TrustCenter
and all Mozilla products (and preferrably many others aswell) have its
root cert integrated. But this needs someone to run such a thing (which
is not a trivial job at all and unfortunately also involves quite some
money).

--- end of comment ---

Olav
--
Jabber: nursoda at jabber.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://mozdev.org/pipermail/enigmail/attachments/20041231/339e65a6/signature.bin

More information about the Enigmail mailing list