show-uid-validity default to yes

Daniel Kahn Gillmor dkg at
Fri Dec 13 23:51:15 CET 2013

On 12/13/2013 04:27 PM, Werner Koch wrote:
> On Fri, 13 Dec 2013 21:24, dkg at said:
>> I think for a piece of critical security infrastructure, GPG has been
>> supporting some insecure practices for far too long.
> Why do you think this is insecure?  Because gpg does not encrypt to a
> key and users work around this by using --always-trust?

yes, in this example, that's most likely the short path to an insecure
configuration.  I think most users don't really understand the default
trust model, and that makes it more difficult for them to use the tool
securely.  Exposing the UID validity is a step toward making the trust
model calculations more visible to users, which is necessary for


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131213/967fcfe0/attachment.sig>

More information about the Gnupg-users mailing list