On Sat, 2016-02-20 at 23:49 +0100, Rudolf Künzli wrote:
My key weren't confirmed in my sent messages before I trusted myownkey. So I guess that's what other people that trust me have to do too.IMHO your public key should be attached/sent with your signature. In that case I could store your public key on my system (evolution) and use it directly to encrypt my messages sent to you. Naturally I could search on gpg.mit.edu, but getting the public key directly would make my life more easy!
This is not the way it's supposed to work. If I don't check the public key is trusted, why should I believe a message signed with it? Simply picking up the key with the message is tantamount to doing nothing. I must either know the key beforehand (i.e. I have it in my keyring) or I fetch it from a public server and check who vouches for it. poc
Attachment:
signature.asc
Description: This is a digitally signed message part