Proposal
It's been suggested that the Keyoxide UI output be enhanced to include a disclaimer regarding the OpenPGP user IDs displayed. The disclaimer being that no claim is being made or should be inferred regarding the validity of the user IDs themselves.
Discussion
Ariadne Claims are made between a Master Key and a digital asset. And by direct association between User IDs under that Master Key and those digital assets.
To the uninitiated or casual observer, the claims made might be seen to extend (at least to some degree) to the User ID themselves as digital assets in their own right. That is, that in some way the User IDs have been vetted, despite the fact that the UI displays no check marks by the User IDs, just simply by the mere fact that User IDs are displayed.
Those entrenched in OpenPGP understand that the validity one assigns to a User ID is ultimately the responsibility of the individual utilizing that User ID. Individuals may of course factor in vetting done elsewhere while taking into consideration the trustworthiness of that vetting, but they themselves make the final determination.
Keyoxide limits its default key lookup to keys.openpgp.org and WKDs. keys.openpgp.org conducts an initial test of User ID email ownership upon key upload to its servers. WKD drafted best practices state a similar practice must be followed by WKDs. WKDs at large may or may not do so however. Keyoxide itself does no vetting of User IDs, and provides no oversight wrt to keys.openpgp.org or WKDs at large. And thus in truth, should make no claims regarding the User IDs. Keyoxide to its credit does practice clearly denoting the source of the key material.
User IDs are in fact, in the Keyoxide context, just convenient aliases for the Master Key. Aliases under which claims may be further grouped and divided.
Who is Keyoxide's audience? What is their level of competence in this context? One does not want to clutter the landscape with extra verbiage when it maybe unnecessary. Disclaimers and legal documents as it is, tend to be way too long and just get longer with age. However, if our friend who knows nothing of OpenPGP and security practices, gets the link https://keyoxide.org/john.doe%40jane.doe.com, what are they to make of it? But do they in fact really know nothing? If they don't trust or really know their source, they may not trust the link either. Or, how likely are they to just independently lookup john.doe@jane.doe.com without first consulting with John or Jane prior to trusting the information retrieved.
Reference
Further discussion can be found @ #keyoxide:matrix.org.
Related
keyoxide/keyoxide-web#248
keyoxide/keyoxide-web#81
keyoxide/keyoxide-web#81#issuecomment-187173
keyoxide/keyoxide-web#81#issuecomment-5936170
https://gitlab.com/keys.openpgp.org/hagrid/-/issues/180
### Proposal
It's been suggested that the Keyoxide UI output be enhanced to include a disclaimer regarding the OpenPGP user IDs displayed. The disclaimer being that no claim is being made or should be inferred regarding the validity of the user IDs themselves.
### Discussion
Ariadne Claims are made between a Master Key and a digital asset. And by direct association between User IDs under that Master Key and those digital assets.
To the uninitiated or casual observer, the claims made might be seen to extend (at least to some degree) to the User ID themselves as digital assets in their own right. That is, that in some way the User IDs have been vetted, despite the fact that the UI displays no check marks by the User IDs, just simply by the mere fact that User IDs are displayed.
Those entrenched in OpenPGP understand that the validity one assigns to a User ID is ultimately the responsibility of the individual utilizing that User ID. Individuals may of course factor in vetting done elsewhere while taking into consideration the trustworthiness of that vetting, but they themselves make the final determination.
Keyoxide limits its default key lookup to keys.openpgp.org and WKDs. keys.openpgp.org conducts an initial test of User ID email ownership upon key upload to its servers. [WKD drafted best practices state a similar practice must be followed by WKDs](https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service#name-security-considerations). WKDs at large may or may not do so however. Keyoxide itself does no vetting of User IDs, and provides no oversight wrt to keys.openpgp.org or WKDs at large. And thus in truth, should make no claims regarding the User IDs. Keyoxide to its credit does practice clearly denoting the source of the key material.
User IDs are in fact, in the Keyoxide context, just convenient aliases for the Master Key. Aliases under which claims may be further grouped and divided.
Who is Keyoxide's audience? What is their level of competence in this context? One does not want to clutter the landscape with extra verbiage when it maybe unnecessary. Disclaimers and legal documents as it is, tend to be way too long and just get longer with age. However, if our friend who knows nothing of OpenPGP and security practices, gets the link [https://keyoxide.org/john.doe%40jane.doe.com](), what are they to make of it? But do they in fact really know nothing? If they don't trust or really know their source, they may not trust the link either. Or, how likely are they to just independently lookup [john.doe@jane.doe.com]() without first consulting with John or Jane prior to trusting the information retrieved.
### Reference
Further discussion can be found @ [#keyoxide:matrix.org](https://matrix.to/#/!dEfJkFpQpwvbzcegRX:matrix.org/$vSOh3eNUPbzu3AATvfgusdZ40AYQT8P_eJkUe5GzWMc?via=matrix.org&via=mackenba.ch&via=tchncs.de).
### Related
keyoxide/keyoxide-web#248
keyoxide/keyoxide-web#81
[keyoxide/keyoxide-web#81#issuecomment-187173](https://codeberg.org/keyoxide/keyoxide-web/issues/81#issuecomment-187173)
[keyoxide/keyoxide-web#81#issuecomment-5936170](https://codeberg.org/keyoxide/keyoxide-web/issues/81#issuecomment-5936170)
https://gitlab.com/keys.openpgp.org/hagrid/-/issues/180