Page MenuHome GnuPG

show-photos should be able to display the UserID's calculated validity
Closed, ResolvedPublic


Photographic user attributes are an intuitive way to recognize people, so it's
good that GPG supports them. However, when showing the photo, there's no simple
way to pass the calculated validity of the user attribute to the photo viewer.

For example, Alice meets Bob in person, and they check IDs and exchange key
fingerprints. When Alice gets home, she goes to sign Bob's key, and finds that
he has a User Attribute with a photo of himself. Since it looks like Bob, Alice
certifies that User Attribute.

Later, Alice receives a message that claims to be from Bob. Her Mail User Agent
is configured to call gpg during signature verification, and gpg is configured
with "verify-options show-photos". Bob's image pops up -- but can Alice be sure
from looking at Bob's photo that this is the same person whose key she signed?

Eve could create a fictitious key, attach Bob's image to it, and send mail to
Alice signed by that key, which would cause that image to pop up. But since
Alice never signed that particular User Attribute, it should show up somehow
referenced as "unknown" instead of "full" or "marginal".

The attached patch enables the use of %v (single character validity code) and %V
(string validity reference) in the "photo-viewer" option string.

Given this additional information, Alice's copy of GPG could now display the
image in a dialog box with the calculated validity written above it (or
overlaid, or whatever other technique makes sense from a UI perspective).

The patch applies to gnupg2 version 2.0.9.


Due Date
Oct 15 2008, 2:00 AM

Related Objects

Event Timeline

David: What about this patch?
dkg: We might need a copyright assignment - David will decide.

werner set Due Date to Oct 15 2008, 2:00 AM.
werner added a subscriber: dshaw.

I'm happy to assign copyright for this patch to the FSF, if that's needed.

I like the idea, but I'd implement it slightly differently (nothing major -
there are a few unnecessary #includes, and I'd rather protect pct_expando in
pct_expando rather than rely on the caller to submit sane arguments).

I'll roll a patch that way and commit it.