gmail smime, sends two messages one is not encrypted. Experience?

[Stefan Claas]

Stefan Claas via Gnupg-users wrote:

> Mark H. Wood via Gnupg-users wrote:
> 
> > On Sat, Dec 07, 2019 at 09:51:34PM +0100, Stefan Claas via Gnupg-users
> > wrote:
> > > Juergen BRUCKNER wrote:
> > > 
> > > > Hi Stefan
> > > > 
> > > > Thats not the approach PGP pursues.
> > > > PGP was, is and should continue to be decentralized in the future. It
> > > > was never really intended to validate identities in a wide circle, but
> > > > to secure communication, and - im parts - to ensure the integrity of
> > > > software.
> > > 
> > > Well, the integrity of software can also be shown with a simple hash
> > > value posted, because I can not verify if the sig belongs to person
> > > xyz, even when he / she has a lot of fan sigs from people unknown to
> > > me.
> > 
> > Yes, if you trust that the page with the hash on it has not been
> > compromised.  Once the bad guy is inside the site, changing the hash
> > is just as easy as replacing the software.  Signatures depend on
> > material that is *not* in the same place with the signed object (if
> > we're doing it right) and thus can be verified from independent
> > sources.
> > 
> > Simple hashes can only detect simple failures.  They have no value
> > against a careful adversary.
> 
> The software author(s) can simply provide a, via blockchain, timestamped
> record[1] of the original hash value. Additionally, from time to time, a
> timestamped warrant canary would be welcome addition too.

P.S. And regarding PGP signatures, for security software releases; a *super
nice* gesture, which would IMHO have a major impact in the OpenPGP ecosystem,
would be if authors of security software which are German nationals would have
*certified* their software signing keys by the German CA Governikus[2].

[2] https://pgp.governikus.de/pgp/

Regards
Stefan

-- 
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
  certified OpenPGP key blocks available on keybase.io/stefan_claas