Ultimate trust

Ultimate trust

[Tomas Nordin]

[-- Attachment #1: Type: text/plain, Size: 894 bytes --]

Hello List

This is probably a dumb question and not really an issue for Notmuch.
But it is when using notmuch (through emacs) I get this Gnome pop-up.
See attached image. Some senders are attaching some sort of signature
that I get to trust or cancel. What does people do in this case, I tend
to cancel it. How should I relate to the question. How do I know if I
could ultimately trust something as asked.

The pop-up in this case says

----------------------------------8<----------------------------------
Message

Do you ultimately trust
"CN=GlobalSign
OU=GlobalSign Root CA-R3
O=GlobalSign"
to correctly certify user certificates?
---------------------------------->8----------------------------------

Is there some source to go to for verifying the cert (or issuer or
what it is).

PS: When a signature like this are sent, there will be a delay before
the pop-up.

Best regards
--
Tomas

[-- Attachment #2: IMG_20200321_125445.jpg --]
[-- Type: image/jpeg, Size: 75620 bytes --]

Re: Ultimate trust

[Teemu Likonen]

[-- Attachment #1: Type: text/plain, Size: 1593 bytes --]

Tomas Nordin [2020-03-21T15:37:36+01] wrote:

> This is probably a dumb question and not really an issue for Notmuch.

Excellent questions but partly difficult to answer.

> But it is when using notmuch (through emacs) I get this Gnome pop-up.
> See attached image. Some senders are attaching some sort of signature
> that I get to trust or cancel.

The sender's mail client has used gpgsm or similar program to digitally
sign the message content. The sender's key that made the message
signature has been certified by some certificate authority. And you are
asked if you trust this certificate authority to certify other's keys.

> What does people do in this case, I tend to cancel it. How should I
> relate to the question. How do I know if I could ultimately trust
> something as asked.

That is the difficult part. The right answer is probably that user
should carefully check the certificate authority's key fingerprint,
compare it to the fingerprint that the authority has published somewhere
else, study the certificate authority's reputation in certifying
people's keys, or something like that.

And almost nobody does that because it's too difficult.

I do this: I press "Yes" (to trust "ultimately") but then immediately go
edit ~/.gnupg/trustlist.txt file and put "!" mark in the beginning of
that certificate authority's key fingerprint. It marks that key
untrusted (because I really don't know). Then: "gpgconf --reload
gpg-agent".

-- 
/// Teemu Likonen - .-.. http://www.iki.fi/tlikonen/
// OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 251 bytes --]

Re: Ultimate trust

[Tomas Nordin]

Teemu Likonen <tlikonen@iki.fi> writes:

> Tomas Nordin [2020-03-21T15:37:36+01] wrote:
>
>> This is probably a dumb question and not really an issue for Notmuch.
>
> Excellent questions but partly difficult to answer.
>
>> But it is when using notmuch (through emacs) I get this Gnome pop-up.
>> See attached image. Some senders are attaching some sort of signature
>> that I get to trust or cancel.
>
> The sender's mail client has used gpgsm or similar program to digitally
> sign the message content. The sender's key that made the message
> signature has been certified by some certificate authority. And you are
> asked if you trust this certificate authority to certify other's keys.
>
>> What does people do in this case, I tend to cancel it. How should I
>> relate to the question. How do I know if I could ultimately trust
>> something as asked.
>
> That is the difficult part. The right answer is probably that user
> should carefully check the certificate authority's key fingerprint,
> compare it to the fingerprint that the authority has published somewhere
> else, study the certificate authority's reputation in certifying
> people's keys, or something like that.
>
> And almost nobody does that because it's too difficult.
>
> I do this: I press "Yes" (to trust "ultimately") but then immediately go
> edit ~/.gnupg/trustlist.txt file and put "!" mark in the beginning of
> that certificate authority's key fingerprint. It marks that key
> untrusted (because I really don't know). Then: "gpgconf --reload
> gpg-agent".

OK, thanks. That already feels better, knowing I can revert this trust
easily like that. And some better understanding for whats going on.

Best regards
--
Tomas

Re: Ultimate trust

[Philip Hands]

[-- Attachment #1: Type: text/plain, Size: 1361 bytes --]

Tomas Nordin <tomasn@posteo.net> writes:

> Teemu Likonen <tlikonen@iki.fi> writes:
...
>> I do this: I press "Yes" (to trust "ultimately") but then immediately go
>> edit ~/.gnupg/trustlist.txt file and put "!" mark in the beginning of
>> that certificate authority's key fingerprint. It marks that key
>> untrusted (because I really don't know). Then: "gpgconf --reload
>> gpg-agent".
>
> OK, thanks. That already feels better, knowing I can revert this trust
> easily like that. And some better understanding for whats going on.

That seems like a UI bug to me -- I'd have thought that there should be
a "No" button so that you can stop it repeatedly asking (presumably by
automatically doing the same as the above manual procedure).

Would anyone happen to know where that should be reported?

I have a feeling that I'd want to default that to answering "No", and
never see the prompt.

The number of people I'm willing to declare ultimate trust in is quite
limited, and even for those, I'm not going to do it via some unfamiliar
bit of UI that springs up unexpectedly.  This strikes me as mildly
deranged, and appears to be trying to train users to do the wrong thing.

Cheers, Phil.
--
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Ultimate trust

[Tomas Nordin]

Philip Hands <phil@hands.com> writes:

> Tomas Nordin <tomasn@posteo.net> writes:
>
>> Teemu Likonen <tlikonen@iki.fi> writes:
> ...
>>> I do this: I press "Yes" (to trust "ultimately") but then immediately go
>>> edit ~/.gnupg/trustlist.txt file and put "!" mark in the beginning of
>>> that certificate authority's key fingerprint. It marks that key
>>> untrusted (because I really don't know). Then: "gpgconf --reload
>>> gpg-agent".
>>
>> OK, thanks. That already feels better, knowing I can revert this trust
>> easily like that. And some better understanding for whats going on.
>
> That seems like a UI bug to me -- I'd have thought that there should be
> a "No" button so that you can stop it repeatedly asking (presumably by
> automatically doing the same as the above manual procedure).

I agree there should be a "No" button doing the same thing as this
manual procedure. Especially if the performance penalty is removed that
way (like when answering yes), which I didn't test yet. (Before
answering yes in the cases I refer to there was a significant hang in
Emacs before the prompt show up)

>
> Would anyone happen to know where that should be reported?
>
> I have a feeling that I'd want to default that to answering "No", and
> never see the prompt.
>
> The number of people I'm willing to declare ultimate trust in is quite
> limited, and even for those, I'm not going to do it via some unfamiliar
> bit of UI that springs up unexpectedly.  This strikes me as mildly
> deranged, and appears to be trying to train users to do the wrong thing.

From Teemu's explaination I understood the trust is not really about the
sender but the "authority" which is certifying the senders key
(GlobalSign in this case). And in my example the message is from some
organisation connected to my work where I am guessing it is the IT
department who has decided to set this up.

While I am asked a question I cannot possibly answer I think it is
better to ask (making clear something is going on) then just do
something without my knowledge which I think is common with main stream
mail agents. But it would be better as you say to be able to say "No"
and also be given a hint about the file where this is recorded.

PS: Besides that record in the trustlist.txt file I still don't
    understand what the possible side effect is. Other than removal of
    the delay.

--
Tomas

Re: Ultimate trust

[David Bremner]

Philip Hands <phil@hands.com> writes:

> Tomas Nordin <tomasn@posteo.net> writes:
>
>> Teemu Likonen <tlikonen@iki.fi> writes:
> ...
>>> I do this: I press "Yes" (to trust "ultimately") but then immediately go
>>> edit ~/.gnupg/trustlist.txt file and put "!" mark in the beginning of
>>> that certificate authority's key fingerprint. It marks that key
>>> untrusted (because I really don't know). Then: "gpgconf --reload
>>> gpg-agent".
>>
>> OK, thanks. That already feels better, knowing I can revert this trust
>> easily like that. And some better understanding for whats going on.
>
> That seems like a UI bug to me -- I'd have thought that there should be
> a "No" button so that you can stop it repeatedly asking (presumably by
> automatically doing the same as the above manual procedure).
>
> Would anyone happen to know where that should be reported?
>
> I have a feeling that I'd want to default that to answering "No", and
> never see the prompt.

I think this is all about S/MIME and gpgsm. The issue with the delays
is  already reported to

 https://dev.gnupg.org/T3348

It can be worked around with "disable-crl-checks" in the gpgsm
config. But if you actually care about S/MIME messages that has some
drawbacks.

The more general question of asking people to trust the CA of some
random person on the internet seems crazy to me as well. I'm not sure,
maybe dkg has ideas about how to fix the UI issue from the notmuch side.

d