gmail smime, sends two messages one is not encrypted. Experience?
Mark H. Wood
mwood at iupui.edu
Tue Dec 10 16:50:08 CET 2019
On Sat, Dec 07, 2019 at 09:51:34PM +0100, Stefan Claas via Gnupg-users wrote:
> Juergen BRUCKNER wrote:
> > Hi Stefan
> > Thats not the approach PGP pursues.
> > PGP was, is and should continue to be decentralized in the future. It
> > was never really intended to validate identities in a wide circle, but
> > to secure communication, and - im parts - to ensure the integrity of
> > software.
> Well, the integrity of software can also be shown with a simple hash
> value posted, because I can not verify if the sig belongs to person
> xyz, even when he / she has a lot of fan sigs from people unknown to
Yes, if you trust that the page with the hash on it has not been
compromised. Once the bad guy is inside the site, changing the hash
is just as easy as replacing the software. Signatures depend on
material that is *not* in the same place with the signed object (if
we're doing it right) and thus can be verified from independent
Simple hashes can only detect simple failures. They have no value
against a careful adversary.
PKC, used properly, can raise the cost of compromise, by increasing
the number of places that the bad guy must break into and get out of
undetected. This is the electronic analog of a principle in physical
security: require the bad guy to spend time, make noise, and create a
visible mess, to increase his fear of being discovered to the point
that the expectation of winning is not worth the expectation of
Mark H. Wood
Lead Technology Analyst
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 195 bytes
Desc: not available
More information about the Gnupg-users