MUA "automatically signs keys"?

Johannes Zarl johannes at
Wed Jan 29 20:57:12 CET 2014

On Wednesday 29 January 2014 10:52:26 Robert J. Hansen wrote:
> > Well, it could be semi-automatic. I'm only talking about persona
> > certifications, which appear to be understood as verifying that the key
> > and the email address are under the control of the same person.
> I suspect the majority of GnuPG and PGP users could not tell you what
> a persona-level verification means.  Saying they appear to be
> understood as X appears to me to be a dangerous bit of conjecture.

Since gnupg does equate trust level 1/persona certification to an untrusted 
one, that should not be a problem IMO.

I like how this idea could mirror a "natural" web of trust - given proper MUA 
Under the assumption that an attacker can't reliably do a MITM attack on every 
message that is sent over an extended time period, you would place almost no 
trust in a fresh persona-certified key, but high trust in an old and 
frequently encountered key. The trust would grow with time (just like the 
trust into someone you know in real life).


More information about the Gnupg-users mailing list