emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: epg.el: epg--status-GET_LINE not working?

From: Daiki Ueno
Subject: Re: epg.el: epg--status-GET_LINE not working?
Date: Fri, 07 Jul 2017 10:37:37 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux) 
"Neal H. Walfield" <address@hidden> writes:

>> At that time, the GnuPG developers didn't seem to have a consensus on
>> how TOFU is supposed to work:
>
> FWIW, the TOFU modus operandi are unlikely to change at this stage and
> have been stable for nearly a year.

I wouldn't call it "stable" just because the code has been there for a
year.  What about the deployment?  Do you have any example of MUA
implementing this feature, other than Emacs?

> My recollection is that you said: if a recipient is specified by key
> id rather than by email address (e.g., gpg is called like: 'gpg -e -r
> KEYID') and the key has a conflict, the conflict should be ignored.

No.  My concern is why GnuPG detects a conflict, even though it is _not_
given an email address to consider (i.e. signature verification).

> 2. AFAIK, there is no precedence for this behavior in gpg.  Consider
> an expired or revoked key: if you try to use it, gpg will error out
> with "unusable public key."

Erroring out and prompting user are a different behavior.

Perhaps you implemented TOFU this way (prompting user) because you use
Wanderlust (which has bee unmaintained for years)?  If I remember
correctly, Wanderlust requires user an explicit action to verify a
signature.

On the other hand, Gnus and other major MUA automatically verify
signature without user interaction.  I like this much better and
supporting your TOFU implementation would negate this this handiness.

Regards,
-- 
Daiki Ueno
reply via email to
[Prev in Thread] Current Thread [Next in Thread]