Trusting other keys a message was encrypted to

[MFPA]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Saturday 7 November 2015 at 2:01:38 AM, in
<mid:6D794D30-C482-4819-9917-E68EE8C0A13B at sumptuouscapital.com>,
Kristian Fiskerstrand wrote:


> [Sent from my iPad, as it is not a secured device there
> are no cryptographic keys on this device, meaning this
> message is sent without an OpenPGP signature. In
> general you should *not* rely on any information sent
> over such an unsecure channel, if you find any
> information controversial or un-expected send a
> response and request a signed confirmation]

At least that's better than the usual line from such devices, which
reads more like an advert than a warning. (-;



> I'm not really sure if I understand what this would
> protect against; The sender can send the information in
> multiple emails, even forward it unencrypted without
> you having any control of it.

Yes, anybody who was a party to the communication can share the
information outside of the encrypted messages that were exchanged. We
can't do anything about that, so should not worry about it. We should
only worry about the security of the specific messages that we send or
receive.

For messages we send, in your own words "You should encrypt only to
keys you trust". That is an active measure controlled by the sender.

For messages we receive, we cannot control which keys were included in
the encryption list. But we *could* check to see if any of them gives
us cause for concern. Maybe there is a good reason this check is not
currently done. The fact that information is available and *could* be
used does not mean it necessarily *should* be used.


- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Penguins are not to be trusted, especially those who listen to organ music.
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJWPdwrXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwsxAH/3YvXP+TFANx/ZNbPef9/u3E
vdr6xP/8t2LKlGtJJAPEzT4SN0fgLJu+fhtVnhgNp+ECQGUFpUST8f4Ph9aHGuyX
oxJ1NnLcRB/mcVscGCbLvTSv9KJgwjfCKR99kZnssV1/Na/iCIaMH1U+9QhvRzDD
u9MwaVxw4iUxWPnU1w/BpAboVZh7n+KJ3v9AwaBgxZxEXoL53z657t4c0b2Ck9tQ
PLQhZP/9906NaEseRG7tE426aejMFEKoUDuzxhITzcRpn1DDZRzld2jJTtN4Edep
NsIRXkeFr86i0fU91eHBWzMXcH9bOwoyaiBqlNrVgizznlPqMvgZEApjtOpfANuI
vgQBFgoAZgUCVj3cMV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45FSrAP4xmrcp4uNk4TLmDS98EV+5/Hzz
r3EWqBHjCtJpKh95kgD8DuXpTI7Ymavvn87Qw1s4XPoaAVzsu6pr2oHRT8mUCgc=
=XjXp
-----END PGP SIGNATURE-----