[kmail2] [Bug 209319] GnuPG: automatically attach my public key and the public key from all receivers - also automatically import attached public keys (decentral key management)

[Arne Babenhauserheide]

https://bugs.kde.org/show_bug.cgi?id=209319

--- Comment #5 from Arne Babenhauserheide <arne_bab at web.de> ---
At Sat, 04 Jan 2014 10:42:20 +0000,
Hauke Laging wrote:
> In other words: If I get 100 emails from you then I get 100 copies of your
> certificate, making the search for emails with an attachment completely
> useless? Are you serious about that, do you want to get rid of your friends...?

This is a non-issue for me: I also sign all email I send (attaches a *.asc
file), so another attachment does not affect the search for mails with
attachments. The lternative is an inline-signature - which might actually get
some people to stop reading my mails.

It would be nice, if most mail clients would show signatures differently than
regular attachments, but for that to become a reality, more people need to sign
their emails. The only problem I see is the possibly large size of the keys
with all their signatures.

> And you are aware that only the key owner should change public versions of his
> certificate? Maybe he doesn't want your certification to be seen on his key. Of
> course, you can avoid this problem with some above average crypto knowledge...

You could just encrypt the recipients keys to the recipients automatically.
Then they can decide whether they want to spread your signature.

Note, though, that every signature is effectively public except if both
participants already have crypto-knowledge. The others keys could be stripped,
so they only contain my signature (reducing the size of those keys).

> > Along with the option to automatically import any attached GnuPG key, that
> > would open the possiblity of using GnuPG without the need for central
> > keyservers: If I sign a key, its owner will automatically get the updated
> > version once he gets an email from me. 
> 
> Why not act like the rest of the world and send the certificate to the key
> owner immediately after creating it? 99% of the users don't care about this
> problem. The 1% can send you a mail and ask for the others' certificates.

Because that currently does not work. How many people actually use GnuPG?

I'd be happy to see another solution, though.

> The problem you mention does exist but has to be solved at another layer. This
> will probably be done by moving the responsibility for keyservers to the mail
> server owner (who knows that you send the mail anyway).

Will the mail-servers I currently use support this? I fear that without
legislative action, this will only increase the incompatibility problems -
because the public does not know crypto.

What I wish for is a seamless GnuPG experience: Setup the key once, the maybe
say "yes, I want to include this signature" from time to time and otherwise
just get encrypted email wherever both participants have GnuPG - starting at
least from the first *answer*.

An advantage here is, that I am not dependent on the mail provider to supply
the feature (there are far less mail-clients that mail-providers) and that
there is no need for a public list of existing keys.

Best wishes,
Arne

-- 
You are receiving this mail because:
You are the assignee for the bug.