German ct magazine postulates death of pgp encryption

Marco Zehe marcozehe-ml at mailbox.org
Sat Feb 28 07:21:57 CET 2015


Hi Andreas,

> Am 27.02.2015 um 21:12 schrieb Andreas Schwier <andreas.schwier.ml at cardcontact.de>:
> The keyserver would make sense, if my mail client would automatically
> fetch the public key from a server, based on the e-mail address of the
> sender and some identity data (e.g. fingerprint) in the mail signature.

FWIW, that’s how GPGMail, the Apple Mail plug-in on OS X, does it, or *can* do it (the feature can be disabled). It will fetch keys based on the e-mail address and signature. So only if it finds a key on the key server that can verify the signature, will it add it to the local key ring. I believe you can also do that with Enigmail by editing something on the Key Servers page of the *advanced* Enigmail settings dialog. So the Mail plugin doesn’t just add keys based on the e-mail address, but needs additional clues that the sender is OpenPGP-capable. And so far, I think I’ve only seen it do that with signatures.

> 
> I have been using GNUPG for ages now, but I verified fingerprints only a
> hand-full of time. Most of the time, I ask my peer for his public key
> and wait for the mail to arrive. For me web-of-trust and key signing
> parties don't make any sense, because I'd rather start a communication
> with a bogus key and establish trust in my genuine peer from the
> conversation we are having.

That’s how things have developed for me over the past year since I started using GnuPG again.

> I like the way Threema does it: I can immediately start a secure
> communication and if I need I can elevate the trust I have in the key.
> But most of the time I'm communicating with people I know anyway.

Yes, and Threema itself even offers a few levels of potential trust through verification of the phone number and/or e-mail address, indicating that the other party has established it has access to one or both of these means, without actually giving away the phone number or e-mail address. And if one has that Threema contact in one’s own address book and chose to look them up on the Threema servers, that is also indicated. This is a level of proof of ownership I was also referring to earlier, where one can do a bit more to tell others „hey, this is really me!“.

Marco

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150228/069254ac/attachment.sig>


More information about the Gnupg-users mailing list