m***@gmail.com
2013-07-21 21:23:09 UTC
https://bugs.kde.org/show_bug.cgi?id=322664
Bug ID: 322664
Summary: Result of file signature verification is
misleading/confusing
Classification: Unclassified
Product: kleopatra
Version: 2.1.1
Platform: MS Windows
OS: MS Windows
Status: UNCONFIRMED
Severity: wishlist
Priority: NOR
Component: general
Assignee: kdepim-***@kde.org
Reporter: ***@gmail.com
CC: ***@kde.org
When you check a file that was signed with a key that has a low trust level
(like not signed by yourself) you get the following output:
"Not enough information to check signature validity,"
That is not very helpful. It would be nice to know, that the signature test was
in fact successful but the used key is maybe not trustworthy and what can be
done to change this.
If you check a file that was changed after signing the certificate becomes
suddenly unknown.
"Invalid signature.
Signed with unknown certificate 0x... The signature is bad"
It would be better understandable with a clear statement, the file was not
signed with the certificate 0x... of XY.
The german text is even stranger:
"Signatur ungültig.
Signiert mit unbekanntem Zertifikat 0x... Die Signatur ist unbrauchbar."
Unbrauchbar? Why state that the signature is useless? The signature is plain
wrong!
It may make sense from a cryptographers point of view but this is one of the
little hassles that people think about when they say that cryptography is too
complicated.
Reproducible: Always
Steps to Reproduce:
1. check file signed with valid but untrusted key
2. look at result
3. edit file and check again
4. look at result again
Bug ID: 322664
Summary: Result of file signature verification is
misleading/confusing
Classification: Unclassified
Product: kleopatra
Version: 2.1.1
Platform: MS Windows
OS: MS Windows
Status: UNCONFIRMED
Severity: wishlist
Priority: NOR
Component: general
Assignee: kdepim-***@kde.org
Reporter: ***@gmail.com
CC: ***@kde.org
When you check a file that was signed with a key that has a low trust level
(like not signed by yourself) you get the following output:
"Not enough information to check signature validity,"
That is not very helpful. It would be nice to know, that the signature test was
in fact successful but the used key is maybe not trustworthy and what can be
done to change this.
If you check a file that was changed after signing the certificate becomes
suddenly unknown.
"Invalid signature.
Signed with unknown certificate 0x... The signature is bad"
It would be better understandable with a clear statement, the file was not
signed with the certificate 0x... of XY.
The german text is even stranger:
"Signatur ungültig.
Signiert mit unbekanntem Zertifikat 0x... Die Signatur ist unbrauchbar."
Unbrauchbar? Why state that the signature is useless? The signature is plain
wrong!
It may make sense from a cryptographers point of view but this is one of the
little hassles that people think about when they say that cryptography is too
complicated.
Reproducible: Always
Steps to Reproduce:
1. check file signed with valid but untrusted key
2. look at result
3. edit file and check again
4. look at result again
--
You are receiving this mail because:
You are the assignee for the bug.
You are receiving this mail because:
You are the assignee for the bug.