[Bug 328735] Re: a key is put in "trusted keys" without it is signed
** Changed in: seahorse Status: New => Expired ** Changed in: seahorse Importance: Unknown => Low -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
Thanks for opening a new bug to separate the real bug from the tab issue. -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
Martin, to say the truth I wanted to test this issue with newer version of seahorse, because I'm not sure that the "bug" was really solved by seahorse developers (ok, the tab "trusted keys" was removed but the issue was not only related to this) but I couldn't (as bug #493473). -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
It doesn't really matter. I chose "invalid", because the bug has been filed about some part of a software that no longer exists. -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
Martin, why did you mark the bug as invalid? It was a true issue, in fact seahorse developers removed Trusted Keys tab in version 2.27. I think the bug should be marked as "fix released". -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
Last upstream comment: >>> In 2.27 the Trusted Keys tab was removed. <<< Closing as invalid then. ** Changed in: seahorse (Ubuntu) Status: Triaged => Invalid -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
This is indeed an issue, since from the web of trust perspective, a user should trust the key itself only if it is "valid". By setting "trust" in a key, you actually only trust keys signed by that key. See: http://www.gnupg.org/documentation/faqs.en.html#q4.7 I've commented on this more detailed, upstream: http://bugzilla.gnome.org/show_bug.cgi?id=571688#c2 -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
** Changed in: seahorse Status: Unknown => New -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
thank you for sending the bug to GNOME ** Changed in: seahorse (Ubuntu) Status: Incomplete => Triaged -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
** Bug watch added: GNOME Bug Tracker #571688 http://bugzilla.gnome.org/show_bug.cgi?id=571688 ** Also affects: seahorse via http://bugzilla.gnome.org/show_bug.cgi?id=571688 Importance: Unknown Status: Unknown -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
could you send the request to the upstream bug tracker since you have a strong opinion about it? ** Changed in: seahorse (Ubuntu) Importance: Low => Wishlist -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
I think it's more correct to mark this issue as a whishlist request. -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
Michael I know that trusting and signing are technically two separate processes, but I also say again that from a logical point of view trusting should follow signing, that is I should assign a trust judgement to key (that is to person) that I know that are valid (that is the owner of that key is the person that I think he should be). The only reason I see to let the user to trust a key without signing it is related to a scenario in which the user (owner of the keyring) wants to assign trust judgements to people that he knows using the keys that are related to these people regardless to the fact that these key are really valid or not. That is collecting a sort of people trust list. In this scenario however that "dangerous" thing is that if the user discovers that a key isn't valid he should delete it but doing this he should also delete the trust judgement to that person; to the other side, in order to preserve trust judgement, he shouldn't delete the key once discovered that it isn't valid, but doing this he should have in his keyrings not valid keys in which either keys not yet checked for validity or keys already checked for validity (but not deleted) should cohabit togheter. I think actual situation is misleading for the user and not very useful. ** Tags added: whishlist -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
Setting trust is separate from signing a key (at least from gpg's POV). Your trust settings are local and not exported with the key like a signature. You can trust a key you didn't sign (if it's wise to do so is an other question) and you can also distrust a key you did sign. gpg uses the trust to compute how much it can trust (key-) signatures made by that key. So it's possible that you trust a key you didn't sign because you trust enough people who signed this key. -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
Sebastien, I read many times that key signing and, if I am not wrong, is a process that permits to you to validate a key (that is you hare sure that the owner of the key is right). Then, based on the signature, you can trust the owner of the key assigning trust level from 1 (don't know) to 4 (I trust fully). I think trusting a user key without signing is not useful as I declare that I don't know if the key is valid or not. >From gpg mini howto (http://dewinter.com/gnupg_howto/english/GPGMiniHowto-3.html#ss3.6) " 3.6 Key signing As mentioned before in the introduction there is one major Achilles' heel in the system. This is the authenticity of public keys. If you have a wrong public key you can say bye bye to the value of your encryption. To overcome such risks there is a possibility of signing keys. In that case you place your signature over the key, so that you are absolutely positive that this key is valid. This leads to the situation where the signature acknowledges that the user ID mentioned in the key is actually the owner of that key. With that reassurance you can start encrypting. Using the gpg --edit-key UID command for the key that needs to be signed you can sign it with the sign command. You should only sign a key as being authentic when you are ABSOLUTELY SURE that the key is really authentic!!!. So if you are positive you got the key yourself (like on a key signing party) or you got the key through other means and checked it (for instance by phone) using the fingerprint-mechanism. You should never sign a key based on any assumption. Based on the available signatures and "ownertrusts" GnuPG determines the validity of keys. Ownertrust is a value that the owner of a key uses to determine the level of trust for a certain key. The values are * 1 = Don't know * 2 = I do NOT trust * 3 = I trust marginally * 4 = I trust fully If the user does not trust a signature it can say so and thus disregard the signature. Trust information is not stored in the same file as the keys, but in a separate file. " -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
why would signing be mandatory to trust a key? -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
Yes, it's reproducible. - open seahorse - press "find remote keys" - search a key and import it (the key is put under "other collected keys" tab) - open the property window of the imported key - go to trust tub - check "I have checked that this key belongs to '.' - close the property window - you will see that the imported key is put under "trusted keys" tab This is wrong for me, as I haven't signed it yet and the signing is mandatory to set a key trusted. -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328735] Re: a key is put in "trusted keys" without it is signed
Thank you for taking the time to report this bug and helping to make Ubuntu better. Please answer these questions: * Is this reproducible? * If so, what specific steps should we take to recreate this bug? * What ubuntu version do you use? This will help us to find and resolve the problem. ** Changed in: seahorse (Ubuntu) Importance: Undecided => Low Assignee: (unassigned) => Ubuntu Desktop Bugs (desktop-bugs) Status: New => Incomplete -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs