Practical use of gpgsm for verifying emails
lechten at wi.uni-muenster.de
Mon Apr 30 08:19:39 CEST 2018
On 2018-04-28, Teemu Likonen wrote:
> When verifying an S/MIME message gpgsm (I think) asks whether I
> ultimately trust some certificate authority to certify others and then
> asks me to verify that a displayed fingerprint belongs to the authority.
> How do I know? (So far I have pressed the "Cancel" button.)
You don’t. You should not trust them if you don’t know anything
> I went to the certificate authority's web page but couldn't find
That’s odd. Maybe they publish their certificates over HTTPS,
from which you could extract the fingerprint.
> That's not how CA system usually works anyway. Usually we are not
> supposed to go searching the internet. Usually some experts have
> taught web browsers or operating systems to automatically trust
> certain authorities. So signature verification is transparent.
They added “trust,” not trust. See  for my biased point of view
(still pretty accurate despite its age; nowadays, I would add a
pointer to Certificate Transparency ).
> Any suggestions or information for practically managing S/MIME messages?
Personally, I try to verify CAs’ fingerprints. Afterwards, I
express my “trust” in other people’s choices of CAs when verifying
their signatures (so, pretend “Yes” when asked about trust) but
prefer OpenPGP over S/MIME whenever possible.
More information about the Gnupg-users