Re: Practical use of gpgsm for verifying emails

2018-04-30 Thread Teemu Likonen 
Jens Lechtenboerger [2018-04-30 08:19:39+02] wrote:

> You don’t. You should not trust them if you don’t know anything about
> them.

> Personally, I try to verify CAs’ fingerprints. Afterwards, I express
> my “trust” in other people’s choices of CAs when verifying their
> signatures (so, pretend “Yes” when asked about trust) but prefer
> OpenPGP over S/MIME whenever possible.

As I requested a practical discussion I thought that there is some sort
of "practical trust" when verifying S/MIME messages like there usually
is for the web. For example I can point my web browser to my bank's web
site or your blog at fsfe.org and there is a friendly green lock symbol
in the browser. We normal people think that "this web site is safe"
without checking any fingerprints. Some people even know that the
browser automatically trusts certain authorities to make valid
certificates so that it's really my bank or fsfe.org. Somebody chose
that trust for us because we normal people can't judge.

So I thought that gpgsm would be the same: some root CA's would be
automatically valid and trusted to certify others and gpgsm would just
work like web browsers. I guess not. It forces me to judge and since I
can't judge CA's gpgsm is probably quite useless. I'm not complaining
about gpgsm. It's just that for a moment I thought it would be like web
browsers but for email.

OpenPGP is probably better for email because it's easier to track and
judge individuals separately with TOFU or web of trust model and assign
ownertrust.

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Practical use of gpgsm for verifying emails

2018-04-30 Thread Jens Lechtenboerger 
On 2018-04-28, Teemu Likonen wrote:

> When verifying an S/MIME message gpgsm (I think) asks whether I
> ultimately trust some certificate authority to certify others and then
> asks me to verify that a displayed fingerprint belongs to the authority.
> How do I know? (So far I have pressed the "Cancel" button.)

You don’t.  You should not trust them if you don’t know anything
about them.

> I went to the certificate authority's web page but couldn't find
> fingerprints.

That’s odd.  Maybe they publish their certificates over HTTPS,
from which you could extract the fingerprint.

> That's not how CA system usually works anyway. Usually we are not
> supposed to go searching the internet. Usually some experts have
> taught web browsers or operating systems to automatically trust
> certain authorities. So signature verification is transparent.

They added “trust,” not trust.  See [1] for my biased point of view
(still pretty accurate despite its age; nowadays, I would add a
pointer to Certificate Transparency [2]).

> Any suggestions or information for practically managing S/MIME messages?

Personally, I try to verify CAs’ fingerprints.  Afterwards, I
express my “trust” in other people’s choices of CAs when verifying
their signatures (so, pretend “Yes” when asked about trust) but
prefer OpenPGP over S/MIME whenever possible.

Best wishes
Jens

[1] https://blogs.fsfe.org/jens.lechtenboerger/2013/12/23/openpgp-and-smime/
[2] https://www.certificate-transparency.org/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Practical use of gpgsm for verifying emails

2018-04-28 Thread Teemu Likonen 
I read email with Gnus (Emacs) and from time to time someone has signed
his mail with S/MIME (X.509) system. My Gnus tries to verify signatures
automatically and it works nicely with PGP/MIME but S/MIME is more
difficult.

When verifying an S/MIME message gpgsm (I think) asks whether I
ultimately trust some certificate authority to certify others and then
asks me to verify that a displayed fingerprint belongs to the authority.
How do I know? (So far I have pressed the "Cancel" button.)

I went to the certificate authority's web page but couldn't find
fingerprints. That's not how CA system usually works anyway. Usually we
are not supposed to go searching the internet. Usually some experts have
taught web browsers or operating systems to automatically trust certain
authorities. So signature verification is transparent.

Any suggestions or information for practically managing S/MIME messages?

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users