Hi Andreas, > Am 27.02.2015 um 21:12 schrieb Andreas Schwier > <andreas.schwier...@cardcontact.de>: > The keyserver would make sense, if my mail client would automatically > fetch the public key from a server, based on the e-mail address of the > sender and some identity data (e.g. fingerprint) in the mail signature.
FWIW, that’s how GPGMail, the Apple Mail plug-in on OS X, does it, or *can* do it (the feature can be disabled). It will fetch keys based on the e-mail address and signature. So only if it finds a key on the key server that can verify the signature, will it add it to the local key ring. I believe you can also do that with Enigmail by editing something on the Key Servers page of the *advanced* Enigmail settings dialog. So the Mail plugin doesn’t just add keys based on the e-mail address, but needs additional clues that the sender is OpenPGP-capable. And so far, I think I’ve only seen it do that with signatures. > > I have been using GNUPG for ages now, but I verified fingerprints only a > hand-full of time. Most of the time, I ask my peer for his public key > and wait for the mail to arrive. For me web-of-trust and key signing > parties don't make any sense, because I'd rather start a communication > with a bogus key and establish trust in my genuine peer from the > conversation we are having. That’s how things have developed for me over the past year since I started using GnuPG again. > I like the way Threema does it: I can immediately start a secure > communication and if I need I can elevate the trust I have in the key. > But most of the time I'm communicating with people I know anyway. Yes, and Threema itself even offers a few levels of potential trust through verification of the phone number and/or e-mail address, indicating that the other party has established it has access to one or both of these means, without actually giving away the phone number or e-mail address. And if one has that Threema contact in one’s own address book and chose to look them up on the Threema servers, that is also indicated. This is a level of proof of ownership I was also referring to earlier, where one can do a bit more to tell others „hey, this is really me!“. Marco
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
