gmail smime, sends two messages one is not encrypted. Experience?

Stefan Claas sac at
Tue Dec 10 18:31:26 CET 2019

Mark H. Wood via Gnupg-users wrote:

> On Sat, Dec 07, 2019 at 09:51:34PM +0100, Stefan Claas via Gnupg-users wrote:
> > Juergen BRUCKNER wrote:
> > 
> > > Hi Stefan
> > > 
> > > Thats not the approach PGP pursues.
> > > PGP was, is and should continue to be decentralized in the future. It
> > > was never really intended to validate identities in a wide circle, but
> > > to secure communication, and - im parts - to ensure the integrity of
> > > software.
> > 
> > Well, the integrity of software can also be shown with a simple hash
> > value posted, because I can not verify if the sig belongs to person
> > xyz, even when he / she has a lot of fan sigs from people unknown to
> > me.
> Yes, if you trust that the page with the hash on it has not been
> compromised.  Once the bad guy is inside the site, changing the hash
> is just as easy as replacing the software.  Signatures depend on
> material that is *not* in the same place with the signed object (if
> we're doing it right) and thus can be verified from independent
> sources.
> Simple hashes can only detect simple failures.  They have no value
> against a careful adversary.

The software author(s) can simply provide a, via blockchain, timestamped
record[1] of the original hash value. Additionally, from time to time, a
timestamped warrant canary would be welcome addition too.

P.S. I have read recently that one can only trust software he / she has
written themselves ... ;-D



box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
  certified OpenPGP key blocks available on

More information about the Gnupg-users mailing list