gmail smime, sends two messages one is not encrypted. Experience?
sac at 300baud.de
Tue Dec 10 18:53:32 CET 2019
Stefan Claas via Gnupg-users wrote:
> Mark H. Wood via Gnupg-users wrote:
> > On Sat, Dec 07, 2019 at 09:51:34PM +0100, Stefan Claas via Gnupg-users
> > wrote:
> > > Juergen BRUCKNER wrote:
> > >
> > > > Hi Stefan
> > > >
> > > > Thats not the approach PGP pursues.
> > > > PGP was, is and should continue to be decentralized in the future. It
> > > > was never really intended to validate identities in a wide circle, but
> > > > to secure communication, and - im parts - to ensure the integrity of
> > > > software.
> > >
> > > Well, the integrity of software can also be shown with a simple hash
> > > value posted, because I can not verify if the sig belongs to person
> > > xyz, even when he / she has a lot of fan sigs from people unknown to
> > > me.
> > Yes, if you trust that the page with the hash on it has not been
> > compromised. Once the bad guy is inside the site, changing the hash
> > is just as easy as replacing the software. Signatures depend on
> > material that is *not* in the same place with the signed object (if
> > we're doing it right) and thus can be verified from independent
> > sources.
> > Simple hashes can only detect simple failures. They have no value
> > against a careful adversary.
> The software author(s) can simply provide a, via blockchain, timestamped
> record of the original hash value. Additionally, from time to time, a
> timestamped warrant canary would be welcome addition too.
P.S. And regarding PGP signatures, for security software releases; a *super
nice* gesture, which would IMHO have a major impact in the OpenPGP ecosystem,
would be if authors of security software which are German nationals would have
*certified* their software signing keys by the German CA Governikus.
certified OpenPGP key blocks available on keybase.io/stefan_claas
More information about the Gnupg-users