Message signing popups....
John Scott
jscott at posteo.net
Thu May 28 21:07:42 BST 2020
On Thursday, May 28, 2020 2:43:28 AM EDT strato_test wrote:
> So why waste the resources on it? Why is kmail nudging me with a feature as
> useless and wasteful as this? It's great that kmail supports encryption,
> but for everyone you didn't exchange keys with personally, you can better
> turn it off.
S/MIME is a totally different system from OpenPGP and is actually more rigid.
OpenPGP can accommodate a variety of different trust models aside from the Web
of Trust.
This includes TOFU (Trust on First Use), where increasing trust is put in
someone's key based on seeing how often it's used. It's inherently less secure
than the Web of Trust, but if you can't verify the authenticity of someone's
key, TOFU proponents would say sending material unencrypted is worse anyway.
Web Key Directory, and a trifecta of methods for publishing keys in the DNS,
also partially eliminates the need for key signing (especially the former).
Your mail provider authenticates you and them publishes your public key over
HTTPS for others to fetch. This is especially well-suited to organizations,
and Debian, Gentoo, F-Droid, and like projects all use this.
Lastly the Autocrypt standard specifies how to make a TOFU+Web of Trust workflow
as easy as possible, and specifies how to handle tricky situations like sharing
keys across devices and how to determine if someone *wants* encrypted mail.
Just because someone has a key doesn't mean they like it, some are required
to.
S/MIME isn't PGP at all though. X.509 certs (often informally called "SSL
certificates" even though here they're not used for SSL) can't have subkeys or
multiple identities added, and can only be signed by a single authority. An
important difference from OpenPGP is that the certificates are typically
included in the signature, mostly eliminating the need for any type of
keyserver (because you can trust the Certificate Authority at its face).
I'm sorry you haven't found email encryption painless. I just think GnuPG
disables TOFU by default to not give users a false sense of security. But
there's nothing stopping you from using an untrusted key (I think?)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kdepim-users/attachments/20200528/75a3e801/attachment.sig>
More information about the kdepim-users
mailing list