Question for app developers, like Enigmail etc. - Identicons

Ben McGinnes ben at
Sun Jun 4 23:24:42 CEST 2017

On Sun, Jun 04, 2017 at 08:29:31PM +0200, Kristian Fiskerstrand wrote:
> On 06/04/2017 11:21 AM, Stefan Claas wrote:
>> The reason why i ask, i started to use Thunderbird with Enigmail
>> and Enigmail shows me always Untrusted Good Signature with a 32bit
>> key ID, when i have not carefully verified the persons pub key and
>> --lsign'ed the pub-key. Showing only the long key id or the
>> complete fingerprint is imho more difficult to quickly memorize
>> than an additionial shown identicon (computed from the
>> fingerprint).
> I'm likely missing something there, but if having a reasonable
> assurance the public keyblock in question should likely be lsigned
> by a local CAkey anyways? Doing a manual graphical verification
> doesn't seem to provide anythin in terms of security here.

It's got nothing to do with security and everything to do with
providing a unique generated icon for each key so an end user can
personally identify the correct key based on coloured shapes instead
of a hexadecimal string.  Which is why I called it Gravatar for GPG.

It's not the sort of thing that should be in GPG itself, but there's
nothing stopping anyone from incorporating that kind of feature into a
key management tool.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: </pipermail/attachments/20170605/16607801/attachment.sig>

More information about the Gnupg-users mailing list