MIME or inline signature ?

Ludwig Hügelschäfer mlisten at hammernoch.net
Sun Feb 15 17:25:56 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 15.02.15 16:30, Stephan Beck wrote:

> OK, I give you that, strictly speaking, it might not be the same,
> but at the moment I had no other measure at hand to remind me of
> being careful with that kind of event. And a bad signature event is
> not the ideal event for putting trust in a key owner's identity at
> all.

You cannot get trust from good or bad mail signatures. You also cannot
get distrust.

A "bad signature" _only shows one thing_: The message was modified
along the way from the signing process (at the senders computer) to
the verification process (at your computer). This can be a tool
shortcoming, a mail server mangling the contents or the mailinglist
software. You cannot decide where the modification took place. So all
evidence is technical. There's absolutely no reson to distrust the
mail sender. 1000 good mail signatures from him don't show anything
regarding his key. 1000 bad signatures either.

The only place to get trust to the senders key (i.e. to make it
"valid" for you) is to meet the key owner in real life, verify the
identity documents, his fingerprint and mail addresses and sign his
key if everything is ok. There's no measure to replace this procedure.

Ludwig

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJU4MiTAAoJEDrb+m0Aoeb+lRAP/2MiEq4KQoPRQrBRXQIQ8ayJ
tUXFKGVejaTl4KcwUiScqrrBKj2pYMda5kuQagJQThWEGesuzeSPtP7mklVNPCGW
htxGNY8SAF6dBCjqLNHTOOeBgLEDKliLv7BLu9Two5/fGsjg6E80ghc/yvnSRzpa
Lln6P7W/RhqDhd1ACg4bDeJGf1Sr2kTaMADOTezev4b3bZ6W/OJ+0n10wz/8xR5D
5kTGwVkG0sA4IOUVfFuYz5AM+GfrPHjNUZp5f6IIVbSFLgNbGrxRfN4Xf6ZbHEcH
VA/4BDNpD+kN29J+A3cZe+ois3r6BnPXPAwUFgwOD8Mah9bmKgzcBRRj97dnTZC0
6qo6v5XanEljvo7DFjixKxunHQ7pBKXBd3YnbDgDftCvr7QX8KauL88CHirmQh3p
gTMupRC9ZZlJ6us7SgCZSRuP1BkuBSnlNhfbpH3Y0moKjbdx8RpTL+fUS1C+o//M
RNMg8sKoiUZ33pFkKEAI9Kb1UBHCDD7ye2ZZhsk0tpjNTjQCVxOe7mEhKkz9dila
t07u06zlsEEX9hFODHJw4Ph3a7dDiXLg1QHr39G3oSoW7aJ7jnl8gpJLg/J8IWS4
fw8MQvRJKObI2F+a+uSzrDD62U4Utxf/yraX77qIZ2dX94OYWMKoMYwJTQwRnQda
sC6bdVe6GB39z87DRsi2
=ZP3O
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list