Re: [Evolution] GPG Auto download pub keys

[Ralf Mardorf <ralf mardorf rocketmail com>]

On Sun, 2015-05-10 at 05:59 +0000, Justin Musgrove wrote:
> On Sat, 2015-05-09 at 19:11 +0200, Ralf Mardorf wrote:
> > On Sat, 09 May 2015 17:36:17 +0100, Pete Biggs wrote:
> > > I totally understand what you are saying.
> >
> > And I absolutely agree with your argument. However, a web of trust 
> > has
> > got it's weak points too.
> >
> > I "automatically" trust the key package of the distro I'm using, 
> > when
> > there's a release of new keys for signing packages, because the 
> > chain of
> > trusted keys at least is halfway comprehensible. But automatically
> > accepting each key needed to check the signature of an email is 
> > risky.
> > A user should care about the keys and be aware about the accepted
> > keys. A mouse click isn't much work.
>
> Excellent points! I don't mind the auto downloading with the 
> exception
> of not blindingly setting the trust value. That way I can manually
> validate and set the trust.

Btw. I'm mistaken. It's not just a mouse click, I had to
$ gpg --keyserver pgp.mit.edu --recv-keys 32EA7F7A
and then to close and open Evolution.

If I would automatically download keys that certify a key, wouldn't
the warning automatically disappear?

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.

A web of trust already could be a fake. IMO interaction of the user is
better, than doing it automatically.

Regards,
Ralf

PS: I dislike multipart messages sent to mailing lists. Your mail
isn't a text/HTML multipart, but you include your signature and IMO
signing mails sent to mailing lists is redundant.