Derek Martin wrote in <20240429203624.ge19...@bladeshadow.org>: |On Fri, Apr 26, 2024 at 06:45:57PM +0200, ilf wrote: |> The Autocrypt project worked on a draft for "Protected Headers for |> Cryptographic E-mail" [1]. That became the IETF draft "Header Protection \ |> for |> Cryptographically Protected E-mail" [2]. draft-ietf-lamps-header-protect\ |> ion |> is an Active Internet-Draft of the LAMPS WG, a "Proposed Standard" \ |> and it is |> on track to become an RFC. |> |> 1. https://github.com/autocrypt/protected-headers |> 2. https://datatracker.ietf.org/doc/draft-ietf-lamps-header-protection/ | |Neat. But this feature seems like a misfeature, making you |immediately susceptible to MITM. It encourages users to forgo |establishing the trust of the keys so received. What's to stop me |from sending you a forged e-mail that appears to be from someone else, |with an address and public key that I control? Or, if I control |their/your local mail server, just replacing the key they gave with my |own? Part of the point of using PGP/GPG is that you have taken the |time to verify the identity and key signature of the person presenting |the key, to prevent MITM attacks and similar. This seems tailor-made |to encourage less savvy users (or really everyone) to do exactly the |wrong thing.
I *wholeheartly* agree! S/MIME is so much better by concept! This is why i like the new approach most PGP people now use, in that they use a signed MIME multipart which includes the public key as an attachment. And, btw, i am in full support of the OpenPGP: header that can be DKIM protected (plus by the "protected headers"). Unfortunately that never made it to a standard. ... For PGP there really should be better (ie: TXT-based; or like so) SMIMEA/OPENPGKEY DNS entries, because what else one can have? WKD, and HKPS. I (and many others) use OpenPGP: and point via https:// --- which is totally absurd given that the entire HTTPS aka TLS community as it is of today uses CA pools that is based upon commercial supermans. No. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
