MUA "automatically signs keys"?

Leo Gaspard ekleog at gmail.com
Thu Jan 30 22:28:27 CET 2014


On Thu, Jan 30, 2014 at 09:09:45PM +0000, MFPA wrote:
> > The advantage you have here though is the web of trust.
> > 1 level 1 signature would probably be not enough, but
> > 5, 10, 100..?
> 
> If the signatures are made automatically be email software without
> verifying identity, where is the web of trust? Lots of such signatures
> would tie the key to the email address but not to a person. Email
> addresses, just like phone numbers, may be re-used by a different
> person today to who used them last year.

Well... To this at least I can answer. Sure, it links a key to an email address.
Yet, more often than not one knows the email address of the intended recipient
(otherwise, how would he/she send the email?). So knowing an email address is
associated to a key can be useful.

About emails reused by different persons... AFAICT most major email services
never re-issue the same email address twice. Which could be considered good
practice. If one worries about an email agency stealing the email addresses,
well... A signature on an email UID means "Yes, this key is used by the same
person as the email address". So signing it "automatically" would not conflict
with the meaning of the signature. Yet if the UID also includes a name, then it
should be signed only after appropriate verification of the owner.

Just my two cents,

Leo



More information about the Gnupg-users mailing list