show-uid-validity default to yes
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Dec 13 23:51:15 CET 2013
On 12/13/2013 04:27 PM, Werner Koch wrote:
> On Fri, 13 Dec 2013 21:24, dkg at fifthhorseman.net said:
>> I think for a piece of critical security infrastructure, GPG has been
>> supporting some insecure practices for far too long.
>
> Why do you think this is insecure? Because gpg does not encrypt to a
> key and users work around this by using --always-trust?
yes, in this example, that's most likely the short path to an insecure
configuration. I think most users don't really understand the default
trust model, and that makes it more difficult for them to use the tool
securely. Exposing the UID validity is a step toward making the trust
model calculations more visible to users, which is necessary for
understanding.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131213/967fcfe0/attachment.sig>
More information about the Gnupg-users
mailing list