Re: [Evolution] GPG Auto download pub keys
- From: Ralf Mardorf <ralf mardorf rocketmail com>
- To: evolution-list gnome org
- Subject: Re: [Evolution] GPG Auto download pub keys
- Date: Sun, 10 May 2015 11:26:28 +0200
On Sun, 2015-05-10 at 05:59 +0000, Justin Musgrove wrote:
On Sat, 2015-05-09 at 19:11 +0200, Ralf Mardorf wrote:
On Sat, 09 May 2015 17:36:17 +0100, Pete Biggs wrote:
I totally understand what you are saying.
And I absolutely agree with your argument. However, a web of trust
has
got it's weak points too.
I "automatically" trust the key package of the distro I'm using,
when
there's a release of new keys for signing packages, because the
chain of
trusted keys at least is halfway comprehensible. But automatically
accepting each key needed to check the signature of an email is
risky.
A user should care about the keys and be aware about the accepted
keys. A mouse click isn't much work.
Excellent points! I don't mind the auto downloading with the
exception
of not blindingly setting the trust value. That way I can manually
validate and set the trust.
Btw. I'm mistaken. It's not just a mouse click, I had to
$ gpg --keyserver pgp.mit.edu --recv-keys 32EA7F7A
and then to close and open Evolution.
If I would automatically download keys that certify a key, wouldn't
the warning automatically disappear?
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
A web of trust already could be a fake. IMO interaction of the user is
better, than doing it automatically.
Regards,
Ralf
PS: I dislike multipart messages sent to mailing lists. Your mail
isn't a text/HTML multipart, but you include your signature and IMO
signing mails sent to mailing lists is redundant.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]