A bug in version 1.2.1?

David Shaw dshaw@jabberwocky.com
Wed Dec 11 14:07:02 2002


On Wed, Dec 11, 2002 at 10:55:27AM +0100, Michael Nahrath wrote:
> Alexandros Papadopoulos <apapadop@cmu.edu> schrieb am 2002-12-11 07:23 Uhr:
> 
> > On Tuesday 10 December 2002 21:47, engage wrote:
> >> When I try to encrypt a message within Kmail, I get a window for
> >> verifying/selecting keys. Even though I have that person's key on the
> >> keyring and even though it shows that person's key in the window, I
> >> can't encrypt to that person or even select the appropriate key.
> >> However, I can encrypt from the CLI. Is it a Kmail 1.4.3 (KDE 3.x)
> >> bug or a GPG 1.2.1 bug?
> > 
> > You need to at least lsign the key. Assign NO trust if you like, but
> > KMail will not let you encrypt to a key you have not signed.
> 
> Are the Kmail authors informed?
> When will they fix this severe bug?
> 
> Forcing users to sign keys without proof of the owner's identity, just to
> trick their software, is BAD.

It is okay so long as the user signs the key locally ("lsign").  This
is one of the things lsign is for.  It does not affect any other user
since the signature is local.

> There may be warnings ("You have no trustpath to this key that indicates its
> validity. Use anyway? [[cancel]] [OK]") or a pref to switch this off.

This is much better of course.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson