auto-key-retrieve considered harmful
Robert Schiele
robert.schiele at t-online.de
Sun Dec 7 09:56:05 CET 2003
On Sun, Dec 07, 2003 at 06:55:36AM +0100, Christian Biere wrote:
> Hi,
>
> unfortunately there are many tools which don't differ between
> trusted and untrusted keys e.g., the mail clients Sylpheed,
> Mulberry and probably hundreds of tools more. [Actually, it's
> beyond me how they can dare to implement OpenPGP support in
> such a way. Either, do it the right way or just don't do it at
> all.]
>
> Let me imagine a world in which people are rather lazy. In this
> world people would turn put the line
>
> keyserver-option auto-key-retrieve
>
> into their gpg.conf. Now, everytime they get a signed mail
> with a key they don't have in their keyring, the key will
> be automatically retrieved from the keyserver. As they
> can't remember their buddies' key IDs they just believe in
> their mail clients' message "Good signature".
>
> IMO, the documentation should at least contain a *big* *fat*
> *scary* warning about using that option. In the long run,
I disagree, the warning should not be about using that option, but about using
such broken applications that cannot handle gpg in a correct way.
This is somewhat like in that Dilbert comic (sorry, can't find the original
URL):
Dilbert talking to Dogbert: I got fired from my job at the restaurant.
Every time I carried hot soup my thumb would slip in and I'd scream and
spray the whole dining room. I blame the soup.
Dogbert: Stupid soup.
Robert
--
Robert Schiele Tel.: +49-621-181-2517
Dipl.-Wirtsch.informatiker mailto:rschiele at uni-mannheim.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20031207/712495ce/attachment.bin
More information about the Gnupg-devel
mailing list