On Mon, Jul 09, 2018 at 05:05:58PM +0200, Vincent Lefevre wrote:
> On 2018-07-06 17:50:59 -0500, Derek Martin wrote:
> > On Fri, Jul 06, 2018 at 10:54:20PM +0200, Wiktor Kwapisiewicz wrote:
> > > If you're sending e-mail to u...@example.com and do a WKD query it
> > > would reveal that only to exam
On 2018-07-06 17:50:59 -0500, Derek Martin wrote:
> On Fri, Jul 06, 2018 at 10:54:20PM +0200, Wiktor Kwapisiewicz wrote:
> > If you're sending e-mail to u...@example.com and do a WKD query it
> > would reveal that only to example.com. But you're sending the e-mail
> > there so that user (or their s
Hi Vincent,
So... This isn't really too different. If the config option somehow
got set unintentionally, it still potentially leaks information, even
if it is on send rather than on receipt. It's actually worse, because
it leaks whom you are actually sending messages to, rather than from
whom
On 2018-07-06 15:45:08 -0500, Derek Martin wrote:
> On Thu, Jul 05, 2018 at 09:47:51AM +0200, Wiktor Kwapisiewicz wrote:
> > > Does this mean that WKD would always be enabled?
> > > If so, this potentially leaks from whom email is being received to third
> > > parties, and I will patch my copy of m
Hi, Derek,
Another way to look at this: Mutt likes to relegate tasks to an
application which is designated for that task. In this case, gnupg
(or whatever) is the application relegated to managing PGP keys. As
such the user should configure THAT application, to the extent
possible, to do what
On Fri, Jul 06, 2018 at 10:54:20PM +0200, Wiktor Kwapisiewicz wrote:
> Mind me asking why do you put your key ID in e-mails if you're
> opposed to encrypted communication?
Also for what it's worth, I never said I was opposed to encrypted
communication. What I said is I think encrypted email prote
On Fri, Jul 06, 2018 at 10:54:20PM +0200, Wiktor Kwapisiewicz wrote:
> >Your other points are all reasonable, and like I said, my opposition
> >to the feature isn't strong--but you didn't change my mind either. :)
>
> Yes, I can see that, but it's hard to change your opinion that
> e-mail privacy
Your other points are all reasonable, and like I said, my opposition
to the feature isn't strong--but you didn't change my mind either. :)
Yes, I can see that, but it's hard to change your opinion that e-mail
privacy is a lost cause in just a couple of e-mails.
Mind me asking why do you put y
On Thu, Jul 05, 2018 at 09:47:51AM +0200, Wiktor Kwapisiewicz wrote:
> > Does this mean that WKD would always be enabled?
> > If so, this potentially leaks from whom email is being received to third
> > parties, and I will patch my copy of mutt to remove it.
>
> It is triggered only when you want
On Fri, Jul 06, 2018 at 09:12:26PM +0200, Wiktor Kwapisiewicz wrote:
> Yes, I agree. The problem is that GPGME does not respect user
> preferences w.r.t. key retrieval (stored in gpg.conf). I will ask on
> gnupg-devel list if this is by design.
FWIW, we've now seen from 3 mutt-dev followers that t
Wiktor,
On Fri, Jul 06, 2018 at 09:12:26PM +0200, Wiktor Kwapisiewicz wrote:
> >On that basis I think Mutt should force the user to explicitly decide
> >that they want to fetch a key, by doing so through the gnupg
> >interface.
>
> Is asking the user if they want to fetch the key interactively (i
On Thu, Jul 05, 2018, Kevin J. McCarthy wrote:
> I am disinclined to default-enable something that send http requests
> out without the user fully understanding what's going on.
Agreed.
I would patch my copy of the source to not enable such code at all
-- IMHO it does not belong into the MUA but
Hi Derek,
Thanks for your detailed e-mail! I will try to answer to points that
you've raised to the best of my knowledge.
On that basis I think Mutt should force the user to explicitly decide
that they want to fetch a key, by doing so through the gnupg
interface.
Is asking the user if they
I'm not strongly opposed to this feature, but I am opposed to it
nonetheless, on much the same grounds as I am opposed to the "umask"
feature (which is a misnomer, but it's how people think of that) for
attachments. Convenience and security, unfortunately, are often
enemies, and I think this is an
Does this mean that WKD would always be enabled?
The quadoption would allow the user to set to automatic (yes), prompt
(ask-yes/ask-no), or disable (no). I'd like feedback from everyone, but
I am disinclined to default-enable something that send http requests
out without the user fully understa
On Thu, Jul 05, 2018 at 08:29:08AM +0100, Andras Salamon wrote:
> On 2018-07-04 18:05:13 -0700, Kevin wrote:
> > My initial idea was a quadoption to control the external query to WKD.
> > If no exact-address matches are initially found, consult the quadoption
>
> Does this mean that WKD would alwa
> Does this mean that WKD would always be enabled?
> If so, this potentially leaks from whom email is being received to third
> parties, and I will patch my copy of mutt to remove it.
It is triggered only when you want to send an e-mail *to* a person AND
explicitly enable encryption AND you don'
On 2018-07-04 18:05:13 -0700, Kevin wrote:
> My initial idea was a quadoption to control the external query to WKD.
> If no exact-address matches are initially found, consult the quadoption
Does this mean that WKD would always be enabled?
If so, this potentially leaks from whom email is being rec
Hi,
Just wondering, I've got "auto-key-retrieve" set in my gpg.conf. I'm
using gpgme, and as far as I'm aware it fetches keys it doesn't know
upon reading the message (gives a little delay) to verify the signature
is OK.
Is this a different thing somehow?
Yes, auto-key-retrieve is different f
Hi,
Just wondering, I've got "auto-key-retrieve" set in my gpg.conf. I'm
using gpgme, and as far as I'm aware it fetches keys it doesn't know
upon reading the message (gives a little delay) to verify the signature
is OK.
Is this a different thing somehow?
Thanks,
Fabian
On 04-07-2018 23:27:23
On Wed, Jul 04, 2018 at 11:27:23PM +0200, Wiktor Kwapisiewicz wrote:
> I would like to extend mutt to add fetching GPG keys over Web Key Directory
> protocol.
I asked Wiktor to post here, in order to give a broader audience the
opportunity to discuss how/if this should be implemented.
My initial
21 matches
Mail list logo
