Practical use of gpgsm for verifying emails

Teemu Likonen tlikonen at
Mon Apr 30 20:30:01 CEST 2018

Jens Lechtenboerger [2018-04-30 08:19:39+02] wrote:

> You don’t. You should not trust them if you don’t know anything about
> them.

> Personally, I try to verify CAs’ fingerprints. Afterwards, I express
> my “trust” in other people’s choices of CAs when verifying their
> signatures (so, pretend “Yes” when asked about trust) but prefer
> OpenPGP over S/MIME whenever possible.

As I requested a practical discussion I thought that there is some sort
of "practical trust" when verifying S/MIME messages like there usually
is for the web. For example I can point my web browser to my bank's web
site or your blog at and there is a friendly green lock symbol
in the browser. We normal people think that "this web site is safe"
without checking any fingerprints. Some people even know that the
browser automatically trusts certain authorities to make valid
certificates so that it's really my bank or Somebody chose
that trust for us because we normal people can't judge.

So I thought that gpgsm would be the same: some root CA's would be
automatically valid and trusted to certify others and gpgsm would just
work like web browsers. I guess not. It forces me to judge and since I
can't judge CA's gpgsm is probably quite useless. I'm not complaining
about gpgsm. It's just that for a moment I thought it would be like web
browsers but for email.

OpenPGP is probably better for email because it's easier to track and
judge individuals separately with TOFU or web of trust model and assign

/// Teemu Likonen   - .-..   <> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list