Web Key Discovery

Mon Apr 9 15:29:38 CEST 2018

Am Montag 09 April 2018 15:00:06 schrieb Sam Bull:
> Outlined where? I'm still not sure I understand how you would add a new ID
> without a private key?

In my first response I've outlined that having your private key on your server 
does not constitute a "major drop" in security.

> So, if someone receives a key with user ID A, and I later
> encrypt/sign with the same key but with user ID B, it won't cause any
> issues? 

Correct, you don't need to see a specific user ID to be able to encrypt to it.
However many email clients put up a warning, which is good.
If you receive cipher text, you can decrypt it, independently from the user ID 
that your pubkey had when it was encrypted to it.

> > Yes, but if it is not on there, they would just use their own private key
> > and act as a man in the middle.
>
> Sure, but that's much easier to detect. e.g. Failing DMARC validation in
> both directions all the time (if they don't have access to my email
> provider or DNS).

Maybe (I don't know, because my knowledge of DMARC is limited, if an attacker 
controls your email server, aren't they the legitimate transport MTA?)

Bernhard

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180409/1bf314b3/attachment.sig>