Web Key Discovery
bernhard at intevation.de
Mon Apr 9 15:29:38 CEST 2018
Am Montag 09 April 2018 15:00:06 schrieb Sam Bull:
> Outlined where? I'm still not sure I understand how you would add a new ID
> without a private key?
In my first response I've outlined that having your private key on your server
does not constitute a "major drop" in security.
> So, if someone receives a key with user ID A, and I later
> encrypt/sign with the same key but with user ID B, it won't cause any
Correct, you don't need to see a specific user ID to be able to encrypt to it.
However many email clients put up a warning, which is good.
If you receive cipher text, you can decrypt it, independently from the user ID
that your pubkey had when it was encrypted to it.
> > Yes, but if it is not on there, they would just use their own private key
> > and act as a man in the middle.
> Sure, but that's much easier to detect. e.g. Failing DMARC validation in
> both directions all the time (if they don't have access to my email
> provider or DNS).
Maybe (I don't know, because my knowledge of DMARC is limited, if an attacker
controls your email server, aren't they the legitimate transport MTA?)
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-devel