Hi Derek,

Thanks for your detailed e-mail! I will try to answer to points that you've raised to the best of my knowledge.

On that basis I think Mutt should force the user to explicitly decide
that they want to fetch a key, by doing so through the gnupg
interface.

Is asking the user if they want to fetch the key interactively (if the key is not found locally) not an explicit decision? Or do you mean that the user should exit mutt and run gpg manually?

Another way to look at this:  Mutt likes to relegate tasks to an
application which is designated for that task.  In this case, gnupg
(or whatever) is the application relegated to managing PGP keys.  As
such the user should configure THAT application, to the extent
possible, to do what they want with keys, and Mutt should ignore the
problem.

Yes, I agree. The problem is that GPGME does not respect user preferences w.r.t. key retrieval (stored in gpg.conf). I will ask on gnupg-devel list if this is by design.

As a side note, I think automatic key retrieval of any sort largely
defeats the purpose of encryption.  You have no idea if the key you've
downloaded actually belongs to the person you think it should belong
to, excepting the case where the key is just a refresh of a key you've
already manually verified (i.e. key is signed by a key you already
have verified, belonging to the same person).  There are sometimes
other reasons, or other means by which to trust such keys (e.g. the
web of trust); but in the general case it is simply stupid to do so
without manually verifying the key and its owner's identity yourself.
You can consider that an additional argument to not support the
feature if you like.

Mutt already has appropriate messages relating to key validity (crypt-gpgme.c:1330) for example "WARNING: We have NO indication whether the key belongs to the person named as shown above" and key retrieval doesn't change that.

But consider the situation, you have signed a key of person B and you fully trust them, now you want to contact me and my key is signed with person's B key. It doesn't matter how you retrieve my key, when you import it it will be fully valid (as you trust person's B signatures). What WKD changes is you'll get my key from my domain and you won't have to search keyserver's for all potential keys looking for one that is signed by one of your trusted contacts.

Another example (a little bit more contrived): I want to report broken links on your home page :) (pizzashack.org)... confidentially. How would I do that? I would obviously get your key from your page (http://pizzashack.org/~ddm/pgp.key), WKD does just that, gets your key from your site. It *does not* make it trusted, signed or anything else. But I could at least send you the end-to-end encrypted message.

Actually that's how I got the idea of adding WKD to mutt: one person couldn't reply to my PGP message with encryption because they couldn't find my key (my guess is that the keyservers were failing but that's immaterial).

Thanks for your time!

Kind regards,
Wiktor

--
https://metacode.biz/@wiktor

Reply via email to