MUA "automatically signs keys"?
Johannes Zarl
johannes at zarl.at
Wed Jan 29 20:57:12 CET 2014
On Wednesday 29 January 2014 10:52:26 Robert J. Hansen wrote:
> > Well, it could be semi-automatic. I'm only talking about persona
> > certifications, which appear to be understood as verifying that the key
> > and the email address are under the control of the same person.
>
> I suspect the majority of GnuPG and PGP users could not tell you what
> a persona-level verification means. Saying they appear to be
> understood as X appears to me to be a dangerous bit of conjecture.
Since gnupg does equate trust level 1/persona certification to an untrusted
one, that should not be a problem IMO.
I like how this idea could mirror a "natural" web of trust - given proper MUA
support.
Under the assumption that an attacker can't reliably do a MITM attack on every
message that is sent over an extended time period, you would place almost no
trust in a fresh persona-certified key, but high trust in an old and
frequently encountered key. The trust would grow with time (just like the
trust into someone you know in real life).
Cheers,
Johannes
More information about the Gnupg-users
mailing list