Question for app developers, like Enigmail etc. - Identicons

Stefan Claas stefan.claas at posteo.de
Sun Jun 4 22:25:35 CEST 2017


On 04.06.17 20:29, Kristian Fiskerstrand wrote:
> On 06/04/2017 11:21 AM, Stefan Claas wrote:
>> The reason why i ask, i started to use Thunderbird with Enigmail and
>> Enigmail shows me always Untrusted Good Signature with a 32bit key ID,
>> when i have not carefully verified the persons pub key and --lsign'ed
>> the pub-key. Showing only the long key id or the complete fingerprint
>> is imho more difficult to quickly memorize than an additionial shown
>> identicon (computed from the fingerprint).
> I'm likely missing something there, but if having a reasonable assurance
> the public keyblock in question should likely be lsigned by a local
> CAkey anyways? Doing a manual graphical verification doesn't seem to
> provide anythin in terms of security here.
>
Call me stupid, i use(d) GnuPG not to much and i'm not a pro user like
many here on the list. But when i receive(d) a signed message the first
time,
from a user completey unknown to me i did not lsign his/her key. Instead i
verified always the fingerprint and the email headers a couple of times.

With Thunderbird/Enigmail (i can't speak for other apps) a user new to GnuPG
and and not savvy with checking email headers and not carefully checking the
fingerprint (he must click addionally on the Details button) and who has
never
signed a public key before would in my opinion have it easier if he would be
presented with an additional visual fingerprint imho, because he would
imediately
spot after the second email if the pub-key, he not yet lsigned, that
there is
something wrong.

If the visual fingerprint would be bullet-proof it would not hurt to
implement
such a feature, imho.

Hope that my suggestion is not to naive or to stupid!

Regards
Stefan


 




More information about the Gnupg-users mailing list