Re: [Evolution] GPG Auto download pub keys

From: Pete Biggs <pete biggs org uk>
To: evolution-list gnome org
Subject: Re: [Evolution] GPG Auto download pub keys
Date: Sat, 09 May 2015 17:36:17 +0100


this is the absolute evidence that signing emails in 99,9% of it's use
cases is completely useless. Automatically accepting keys to validate
signed mails renders signing useless.


I totally understand what you are saying.  The mitigating fact for
autoretrieval of keys is that it doesn't blindly accept the validity of
the keys unless (*I think*) you have already accepted a key of someone
who has signed the key.  The signature is highlighted as yellow, not
green, and says "Valid signature, but cannot verify sender...".

You can also view the contents of the key and there are warnings such
as 

        gpg: WARNING: This key is not certified with a trusted
        signature!
        gpg:          There is no indication that the signature belongs to the owner.
        
So it's not entirely a useless feature.

P.

Follow-Ups:
- Re: [Evolution] GPG Auto download pub keys
  - From: Ralf Mardorf

References:
- Re: [Evolution] GPG Auto download pub keys
  - From: pitt hoessler
- Re: [Evolution] GPG Auto download pub keys
  - From: Ralf Mardorf

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]