gmail smime, sends two messages one is not encrypted. Experience?

Stefan Claas sac at
Sat Dec 7 21:51:34 CET 2019

Juergen BRUCKNER wrote:

> Hi Stefan
> Thats not the approach PGP pursues.
> PGP was, is and should continue to be decentralized in the future. It
> was never really intended to validate identities in a wide circle, but
> to secure communication, and - im parts - to ensure the integrity of
> software.

Well, the integrity of software can also be shown with a simple hash
value posted, because I can not verify if the sig belongs to person
xyz, even when he / she has a lot of fan sigs from people unknown to

So, why then all this sigs stuff, Mr Zimmermann invented, while no
other public key crypto software has such functionallity?

> The so-called WOT has proven to me in the field of PGP and does not
> really need central instances

Why do you or other people think it is central, when we would
have many CAs in place, each one not connected to the other one?

And even if it would be run by one CA people don't trust, they could
trust the CA sig, if the signing procedure would be correct.

I for example do not trust third party sigs from regular users,
because I have withnessed that also people sign other peoples
keys out of the blue, while never ever contacting the person who
owns the key ...
> Am 07.12.19 um 21:11 schrieb Stefan Claas:
> > Yes, but the is not an OpenPGP 'fault' IHMO, it is caused by users and
> > the OpenPGP community in general, not accepting CAs and still relying
> > on the classical WoT.
> > 
> > Maybe we should ask ourselves why we not have more (free) CAs for
> > the OpenPGP ecosystem (wish we had more like Governikus ...)


box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
  certified OpenPGP key blocks available on

More information about the Gnupg-users mailing list