On Sun, 2015-05-10 at 05:59 +0000, Justin Musgrove wrote: > On Sat, 2015-05-09 at 19:11 +0200, Ralf Mardorf wrote: > > On Sat, 09 May 2015 17:36:17 +0100, Pete Biggs wrote: > > > I totally understand what you are saying. > > > > And I absolutely agree with your argument. However, a web of trust > > has > > got it's weak points too. > > > > I "automatically" trust the key package of the distro I'm using, > > when > > there's a release of new keys for signing packages, because the > > chain of > > trusted keys at least is halfway comprehensible. But automatically > > accepting each key needed to check the signature of an email is > > risky. > > A user should care about the keys and be aware about the accepted > > keys. A mouse click isn't much work. > > Excellent points! I don't mind the auto downloading with the > exception > of not blindingly setting the trust value. That way I can manually > validate and set the trust.
Btw. I'm mistaken. It's not just a mouse click, I had to $ gpg --keyserver pgp.mit.edu --recv-keys 32EA7F7A and then to close and open Evolution. If I would automatically download keys that certify a key, wouldn't the warning automatically disappear? gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. A web of trust already could be a fake. IMO interaction of the user is better, than doing it automatically. Regards, Ralf PS: I dislike multipart messages sent to mailing lists. Your mail isn't a text/HTML multipart, but you include your signature and IMO signing mails sent to mailing lists is redundant. _______________________________________________ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
