Don't send encrypted messages to random users
Konstantin Gribov
grossws at gmail.com
Tue May 30 11:44:09 CEST 2017
Yes, they could. But publishing all subkeys is simpler than publishing some
of them. And key is usually generated with both sign and encryption subkey
as many guides, howtos etc guide people to.
To look at such test emails from the other point of view just imagine that
someone found your email on public repo/bugtracker/ml starts to spam you
with test emails. Such an event certainly would upset me.
Another thing which shocked me is statistics from Golang folks [1]. Brad
Fitzpatrick said:
> 99% of the PGP-encrypted emails we get to security at golang.org are bogus
security reports. Whereas "cleartext" security reports are only about 5-10%
bogus. Getting a PGP-encrypted email to security at golang.org has basically
become a reliable signal that the report is going to be bogus, so I stopped
caring about spending the 5 minutes decrypting the damn thing (logging in
to the key server to get the key, remembering how to use gpg).
> ...
> In summary, the PGP tooling sucks (especially in gmail, but really
everywhere) and it's too often used by people who are more interested in
using PGP than reporting valid security issues.
When he says "cleartext" it's plain text send over TLS MTA-to-MTA
connections. Almost all mail providers use starttls now.
[1]: https://news.ycombinator.com/item?id=14123388
вт, 30 мая 2017, 8:46 Ineiev <ineiev at gnu.org>:
> On Mon, May 29, 2017 at 11:52:27PM +0000, Konstantin Gribov wrote:
> >
> > As an example, many open source devs are publishing their keys which they
> > use for signing software releases but rarely for encrypted communication.
>
> On the other hand, they could publish certificates without encrypting
> subkeys.
>
--
Best regards,
Konstantin Gribov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170530/01b0a9a5/attachment.html>
More information about the Gnupg-users
mailing list