On 04.06.17 20:29, Kristian Fiskerstrand wrote: > On 06/04/2017 11:21 AM, Stefan Claas wrote: >> The reason why i ask, i started to use Thunderbird with Enigmail and >> Enigmail shows me always Untrusted Good Signature with a 32bit key ID, >> when i have not carefully verified the persons pub key and --lsign'ed >> the pub-key. Showing only the long key id or the complete fingerprint >> is imho more difficult to quickly memorize than an additionial shown >> identicon (computed from the fingerprint). > I'm likely missing something there, but if having a reasonable assurance > the public keyblock in question should likely be lsigned by a local > CAkey anyways? Doing a manual graphical verification doesn't seem to > provide anythin in terms of security here. > Call me stupid, i use(d) GnuPG not to much and i'm not a pro user like many here on the list. But when i receive(d) a signed message the first time, from a user completey unknown to me i did not lsign his/her key. Instead i verified always the fingerprint and the email headers a couple of times.
With Thunderbird/Enigmail (i can't speak for other apps) a user new to GnuPG and and not savvy with checking email headers and not carefully checking the fingerprint (he must click addionally on the Details button) and who has never signed a public key before would in my opinion have it easier if he would be presented with an additional visual fingerprint imho, because he would imediately spot after the second email if the pub-key, he not yet lsigned, that there is something wrong. If the visual fingerprint would be bullet-proof it would not hurt to implement such a feature, imho. Hope that my suggestion is not to naive or to stupid! Regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
