Practical use of gpgsm for verifying emails

Jens Lechtenboerger lechten at
Mon Apr 30 08:19:39 CEST 2018

On 2018-04-28, Teemu Likonen wrote:

> When verifying an S/MIME message gpgsm (I think) asks whether I
> ultimately trust some certificate authority to certify others and then
> asks me to verify that a displayed fingerprint belongs to the authority.
> How do I know? (So far I have pressed the "Cancel" button.)

You don’t.  You should not trust them if you don’t know anything
about them.

> I went to the certificate authority's web page but couldn't find
> fingerprints.

That’s odd.  Maybe they publish their certificates over HTTPS,
from which you could extract the fingerprint.

> That's not how CA system usually works anyway. Usually we are not
> supposed to go searching the internet. Usually some experts have
> taught web browsers or operating systems to automatically trust
> certain authorities. So signature verification is transparent.

They added “trust,” not trust.  See [1] for my biased point of view
(still pretty accurate despite its age; nowadays, I would add a
pointer to Certificate Transparency [2]).

> Any suggestions or information for practically managing S/MIME messages?

Personally, I try to verify CAs’ fingerprints.  Afterwards, I
express my “trust” in other people’s choices of CAs when verifying
their signatures (so, pretend “Yes” when asked about trust) but
prefer OpenPGP over S/MIME whenever possible.

Best wishes


More information about the Gnupg-users mailing list