gmail smime, sends two messages one is not encrypted. Experience?
sac at 300baud.de
Tue Dec 10 18:31:26 CET 2019
Mark H. Wood via Gnupg-users wrote:
> On Sat, Dec 07, 2019 at 09:51:34PM +0100, Stefan Claas via Gnupg-users wrote:
> > Juergen BRUCKNER wrote:
> > > Hi Stefan
> > >
> > > Thats not the approach PGP pursues.
> > > PGP was, is and should continue to be decentralized in the future. It
> > > was never really intended to validate identities in a wide circle, but
> > > to secure communication, and - im parts - to ensure the integrity of
> > > software.
> > Well, the integrity of software can also be shown with a simple hash
> > value posted, because I can not verify if the sig belongs to person
> > xyz, even when he / she has a lot of fan sigs from people unknown to
> > me.
> Yes, if you trust that the page with the hash on it has not been
> compromised. Once the bad guy is inside the site, changing the hash
> is just as easy as replacing the software. Signatures depend on
> material that is *not* in the same place with the signed object (if
> we're doing it right) and thus can be verified from independent
> Simple hashes can only detect simple failures. They have no value
> against a careful adversary.
The software author(s) can simply provide a, via blockchain, timestamped
record of the original hash value. Additionally, from time to time, a
timestamped warrant canary would be welcome addition too.
P.S. I have read recently that one can only trust software he / she has
written themselves ... ;-D
certified OpenPGP key blocks available on keybase.io/stefan_claas
More information about the Gnupg-users