[kdepim-usability] untrusted pubkeys
Ingo Klöcker
kloecker at kde.org
Tue Sep 28 23:34:35 CEST 2004
On Tuesday 28 September 2004 10:30, Jan Muehlig wrote:
> Ingo Klöcker wrote:
> > So the answer to your question depends on what you've meant my
> > "trust". Since you talk about setting a key to trusted it seems you
> > meant "owner trust". In this case the answer is "No" (see a)).
>
> The reason for my question was: why can't i encrypt a mail to someone
> whose pubkey i obey/received? (At least this is my conclusion from
> the actual behavior of KMail 1.7). I assume therefore that you have
> to trust a key before you can use it (--edit-key trust). Is this
> true?
No. You have to sign the key. But you must not sign the key unless
you've properly validated the key (i.e. you've met the key owner, he
gave you the fingerprint of his key and you've checked the key owner's
identity). If you want to use the key nonetheless then you should sign
it with a non-exportable signature (with --lsign).
Using a non-validated key for encryption is a very bad idea because this
opens the doors for a man-in-the-middle attack. Therefore KMail refuses
to use non-validated keys for encryption.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.kde.org/pipermail/kdepim-usability/attachments/20040928/0859aa13/attachment.pgp
More information about the kdepim-usability
mailing list