Janusz A. Urbanowicz
alex at syjon.fantastyka.net
Fri Jan 3 15:30:01 CET 2003
On Fri, Jan 03, 2003 at 02:04:26PM +0100, Werner Koch wrote:
> On Thu, 2 Jan 2003 21:36:07 -0500, David Shaw said:
> > It seems like a good idea to me as well, but I'm worried about what it
> > will mean for various programs that call GnuPG. The default GnuPG
> > config for Mutt, for example, uses the --quiet option. People may be
> I don't think that it is a good idea at all. The MUA should decide
> which address to display and GnuPG provides all required information.
> A MUA should even check that the From/Reply-to address matches one of
> the user ID in the signature. Without this it would be easy to trick
> someone to reply (probably including quoted decrypted text) to a man
> in the middle.
No MUA I know of, does this. Maybe the Mahogany will do.
I also don't know if it is good idea to enlist all possible addresses that I
may use in any context. I can think of about 8 addresses that my emails can
come from (that I use in various contexts and situations). Should I list all
of those in my key? Currently I list there only 3 addresses that are certain
to reach me. And listing all those during verification (below is output from
mutt) does not help much when there's From: <discussion list> for example.
X-Original-Date: Fri, 3 Jan 2003 13:30:58 +0100
[-- PGP output follows (current time: Fri Jan 3 14:39:11 2003) --]
gpg: Signature made Fri Jan 3 13:30:57 2003 CET using DSA key ID 4065A1DA
gpg: Good signature from "Thorsten Haude <yooden
gpg: aka "Thorsten Haude <yoo
gpg: aka "Thorsten Haude <yooden
gpg: aka "Thorsten Haude <thaude
gpg: aka "Thorsten Haude <mail
gpg: aka "Thorsten Haude <mutt
gpg: aka "Thorsten Haude <linux
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
gpg: Fingerprint: 8F4A 9AA1 2876 74C1 28E9 4ACF 5BFC 7624 4065 A1DA
[-- End of PGP output --]
[-- The following data is signed --]
More information about the Gnupg-devel