On Thu 2017-01-26 13:36:09 -0500, Jens Lechtenboerger wrote: > On 2017-01-25, at 15:30, Daniel Kahn Gillmor wrote: >> On Wed 2017-01-25 15:09:47 -0500, Jens Lechtenboerger wrote: >>> mml2015-always-trust is replaced by mml-secure-openpgp-always-trust >>> nowadays. I certainly wouldn’t object if the default value was >>> changed, but lots of long-term users might be surprised. >> >> It's also possible that lots of long-term users might be surprised to >> find that refreshing one key in their keyring is likely to cause a >> change in behavior for the use of other keys in their keyring. this is >> a silent surprise, which seems worse than a public surprise. > > Sorry, I don’t understand this. What change in one key is causing > silent changes for other keys?
Without the notification that multiple keys are available, Bob can add Carol's User ID to his cert ; depending on where the certs are positioned linearly in Alice's keyring, mail to Carol might be encrypted to Bob's key, or to Alice's key. I think this is mitigated at least in part by prompting the user when there are multiple keys available, though. > That’s customized in mml-secure-key-preferences. So, the usual > customize interface is available. And there is some code to detect > and remove unusable customizations. When was this introduced? i don't see it, but then i'm still using emacs24. Do i need to upgrade? >> Modern versions of GnuPG also provide a "tofu" mechanism to store and >> track that kind of decision in. Neal Walfield (also cc'ed here) put in >> a lot of that implementation, so he might have some suggestions for the >> best way to handle it. > > If Emacs was relying on GnuPG’s decisions, nothing special would be > necessary for tofu, right? (Users could activate that in their > gpg.conf.) Neal can answer this better than i can. I think the TOFU mode works best when there's a bit of UI integration -- emacs would provide the way for the user to answer a question prompted by gpg, and then gpg is responsible for storing/tracking all the info. --dkg