On Tue, 30 Aug 2016 18:04, 3pfwunb...@snkmail.com said: > Maybe add some _brief_ words about trust. We understand how
Well, I should have explained what I mean by Key Discovery: We do key discovery to get a key for a given mail address the first time we want to write to that address. At that point we don't have a relationship with the recipient and thus it doesn't matter whether we trust the key or the mail address. If we would have had a former in-person communication we also had a chance to exchange fingerprints. It is more important to assure that you are always talking to the same person/mail address after the first contact. This builds up trust to the mail address. This is the concept of trust-on-first-use (TOFU) which we are soon going to use as default trust model for GnuPG. Actually it will be a combination of TOFU and the Web-of-Trust (---trust-model=tofu+pgp). > Someone could set up an https://wernerkoch.info with a bogus key, send > out an email impersonating Werner and pointing to that web service, The key would not be bogus, unless it also has my mail address, which should be unique. Given that I sign my mails (granted, too rarely on MLs), a TOFU system can easily detect a conflict for those who are reading GnuPG mailing lists. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* Join us at OpenPGP.conf <https://openpgp-conf.org> */
pgp2AmaJ0Y046.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
