discuss-gnustep
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP signing in GNUMail


From: Ivan Vučica
Subject: Re: PGP signing in GNUMail
Date: Fri, 24 Mar 2017 07:37:14 -0700

Details on how to use GPG are not GNUmail specific.

The usual approach is for the recipient to fetch the public key from the keyserver, then verify that the long-form key fingerprint matches the one you have provided in a secure fashion (for example, by meeting in person, checking government issued IDs, and exchanging fingerprints).

Once fingerprints have exchanged, you can make your trust public by signing the public key's identities using your secret key, and either uploading it to the keyservers or (slightly more secure) by emailing a copy of the other person's now-signed public key in an email that has been encrypted using the other person's public key, thus ensuring a person must have both access to the email address and the key which you signed.

Having the recipient trust any GPG key that is attached to the email defeats the purpose of the whole scheme. You, as a sender, surely would not want me to trust signatures from an arbitrary public key sent to me from a fake Svetlana Tkachenko; you'd want me to trust only the one that you gave to me, securely, right?

On Fri, Mar 24, 2017 at 3:14 AM, Svetlana Tkachenko <svetlana@members.fsf.org> wrote:
Hi all,

I seem to be able to get PGP signing to work with GNUMail, however the recepient needs to have a file (some part of the keypair?) to be able to verify the signature. As I understood I should either attach this file to each email, or upload it somewhere on the Internet (a personal website or a keyserver). Perhaps I would like to attach it, is it a good option? Does GNUMail support it?

Svetlana


_______________________________________________
Discuss-gnustep mailing list
Discuss-gnustep@gnu.org
https://lists.gnu.org/mailman/listinfo/discuss-gnustep


reply via email to

[Prev in Thread] Current Thread [Next in Thread]