Jens Lechtenboerger [2018-04-30 08:19:39+02] wrote: > You don’t. You should not trust them if you don’t know anything about > them.
> Personally, I try to verify CAs’ fingerprints. Afterwards, I express > my “trust” in other people’s choices of CAs when verifying their > signatures (so, pretend “Yes” when asked about trust) but prefer > OpenPGP over S/MIME whenever possible. As I requested a practical discussion I thought that there is some sort of "practical trust" when verifying S/MIME messages like there usually is for the web. For example I can point my web browser to my bank's web site or your blog at fsfe.org and there is a friendly green lock symbol in the browser. We normal people think that "this web site is safe" without checking any fingerprints. Some people even know that the browser automatically trusts certain authorities to make valid certificates so that it's really my bank or fsfe.org. Somebody chose that trust for us because we normal people can't judge. So I thought that gpgsm would be the same: some root CA's would be automatically valid and trusted to certify others and gpgsm would just work like web browsers. I guess not. It forces me to judge and since I can't judge CA's gpgsm is probably quite useless. I'm not complaining about gpgsm. It's just that for a moment I thought it would be like web browsers but for email. OpenPGP is probably better for email because it's easier to track and judge individuals separately with TOFU or web of trust model and assign ownertrust. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users