GPG support in Mahogany
Tue Dec 10 17:40:02 2002
On Tue, 10 Dec 2002 17:18:23 +0100 Michael Nahrath <firstname.lastname@example.org> wrote:
> Xavier Nodet <email@example.com> schrieb am 2002-12-10 16:25 Uhr:
>> Something more specific to mails. When a message is signed, we should
>> verify that the 'From:' header actually matches one of the IDs of the
>> signing key.
> IMHO this is nonsense. I use much more mail addresses as a sender than I
> would like to bloat my key with (check this mail for an example).
I was not clear enough. I was only speaking about a warning (which could
be disabled) when the user *receives* a message. I had not thought about
a warning when sending a signed message.
I was wondering about the following: if signing messages becomes more
and more common, I guess people will more and more rely on the fact that
the signature is good, without checking that this signature is actually
from the correct person.
One could receive a forged mail in the name of its boss, that tells him
to do something, and that is actually signed by some key that does not
belong to his boss. I would like to help, as far as possible, to
recognize such a situation.
Actually, while writing this, I realize that such a key would most
probably not be trusted. Maybe this alone is a reason for this
discussion to be moot...
So I guess that making sure a message signed by an untrusted key is
displayed as such should be enough.
Thanks for your input, and sorry for the fuss...
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Benjamin Franklin, 1759.