Although I’m not principally agianst such a disclaimer, it is attacking the question on a wrong level; if accessing an untrusted resource and relying on the disclaimer on it you’re doing something wrong to begin with, so the ultimate issue is education of the user base. If such a disclaimer can increase awareness it is good, but I’m still arguing that users shoudl use keyservers from clients and not directly.
That said, if we are to include something like this, it should use “public keyblock” as it isn’t strictly cryptographic material, and “might not be valid.” should clearly state “is not cryptographically verified”. That misses the issue of depending on a third party to verify to begin with, so might try to find a phrase that encourages behavior to always verify yourself.
I agree relying on a disclaimer isn’t perfect, but since SKS provides a user interface, that interface is the perfect place to start educating.
What do you think about this wording instead?
Information displayed on this website, including public keyblocks and anything associated with them, is not cryptographically verified. Always inspect public keyblocks using OpenPGP software to see verified information.
that language seems much better to me, maybe also add “don’t trust third party verification, but verify public keyblocks using OpenPGP software on secured devices to see…” ?
I also wonder if it makes sense to include something that conveys that anyone can add any information. A lot of new users seem to believe that if they search a key server for someone’s email address and find a public key, that person must have created that key.
That is really implicit in the verification statement, but it can’t hurt to to be more verbose if first adding something like this
How about this? Instead of saying “don’t trust third party verification” I say “Always inspect public keyblocks using OpenPGP software on a secured device that you control” just because I think many people won’t know what third-party verification means.
Information displayed on this website, including public keyblocks and anything associated with them, is not cryptographically verified. Always inspect public keyblocks using OpenPGP software on a secured device that you control to see verified information.
that works for me
Excellent. I just pushed another commit that changes the wording. Here’s a new screenshot:
Ping. @kristianf , could you please merge this and cut a new version?