GPG support in Mahogany

[Xavier Nodet]

On Tue, 10 Dec 2002 17:18:23 +0100 Michael Nahrath <gnupg-users@nahrath.de> wrote:

> Xavier Nodet <xavier.nodet@free.fr> schrieb am 2002-12-10 16:25 Uhr:

>> Something more specific to mails. When a message is signed, we should
>> verify that the 'From:' header actually matches one of the IDs of the
>> signing key.

> IMHO this is nonsense. I use much more mail addresses as a sender than I
> would like to bloat my key with (check this mail for an example).

I was not clear enough. I was only speaking about a warning (which could
be disabled) when the user *receives* a message. I had not thought about
a warning when sending a signed message.

I was wondering about the following: if signing messages becomes more
and more common, I guess people will more and more rely on the fact that
the signature is good, without checking that this signature is actually
from the correct person.

One could receive a forged mail in the name of its boss, that tells him
to do something, and that is actually signed by some key that does not
belong to his boss. I would like to help, as far as possible, to
recognize such a situation.

Actually, while writing this, I realize that such a key would most
probably not be trusted. Maybe this alone is a reason for this
discussion to be moot...

So I guess that making sure a message signed by an untrusted key is
displayed as such should be enough. 

Thanks for your input, and sorry for the fuss...

-- 
Xavier Nodet
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Benjamin Franklin, 1759.