Practical use of gpgsm for verifying emails
Jens Lechtenboerger
lechten at wi.uni-muenster.de
Mon Apr 30 08:19:39 CEST 2018
On 2018-04-28, Teemu Likonen wrote:
> When verifying an S/MIME message gpgsm (I think) asks whether I
> ultimately trust some certificate authority to certify others and then
> asks me to verify that a displayed fingerprint belongs to the authority.
> How do I know? (So far I have pressed the "Cancel" button.)
You don’t. You should not trust them if you don’t know anything
about them.
> I went to the certificate authority's web page but couldn't find
> fingerprints.
That’s odd. Maybe they publish their certificates over HTTPS,
from which you could extract the fingerprint.
> That's not how CA system usually works anyway. Usually we are not
> supposed to go searching the internet. Usually some experts have
> taught web browsers or operating systems to automatically trust
> certain authorities. So signature verification is transparent.
They added “trust,” not trust. See [1] for my biased point of view
(still pretty accurate despite its age; nowadays, I would add a
pointer to Certificate Transparency [2]).
> Any suggestions or information for practically managing S/MIME messages?
Personally, I try to verify CAs’ fingerprints. Afterwards, I
express my “trust” in other people’s choices of CAs when verifying
their signatures (so, pretend “Yes” when asked about trust) but
prefer OpenPGP over S/MIME whenever possible.
Best wishes
Jens
[1] https://blogs.fsfe.org/jens.lechtenboerger/2013/12/23/openpgp-and-smime/
[2] https://www.certificate-transparency.org/
More information about the Gnupg-users
mailing list