Message signing popups....

John Scott jscott at posteo.net
Thu May 28 21:07:42 BST 2020 

On Thursday, May 28, 2020 2:43:28 AM EDT strato_test wrote:
> So why waste the resources on it?  Why is kmail nudging me with a feature as
> useless and wasteful as this?  It's great that kmail supports encryption,
> but for everyone you didn't exchange keys with personally, you can better
> turn it off.
S/MIME is a totally different system from OpenPGP and is actually more rigid. 
OpenPGP can accommodate a variety of different trust models aside from the Web 
of Trust.

This includes TOFU (Trust on First Use), where increasing trust is put in 
someone's key based on seeing how often it's used. It's inherently less secure 
than the Web of Trust, but if you can't verify the authenticity of someone's 
key, TOFU proponents would say sending material unencrypted is worse anyway.

Web Key Directory, and a trifecta of methods for publishing keys in the DNS, 
also partially eliminates the need for key signing (especially the former). 
Your mail provider authenticates you and them publishes your public key over 
HTTPS for others to fetch. This is especially well-suited to organizations, 
and Debian, Gentoo, F-Droid, and like projects all use this.

Lastly the Autocrypt standard specifies how to make a TOFU+Web of Trust workflow 
as easy as possible, and specifies how to handle tricky situations like sharing 
keys across devices and how to determine if someone *wants* encrypted mail. 
Just because someone has a key doesn't mean they like it, some are required 
to.

S/MIME isn't PGP at all though. X.509 certs (often informally called "SSL 
certificates" even though here they're not used for SSL) can't have subkeys or 
multiple identities added, and can only be signed by a single authority. An 
important difference from OpenPGP is that the certificates are typically 
included in the signature, mostly eliminating the need for any type of 
keyserver (because you can trust the Certificate Authority at its face).

I'm sorry you haven't found email encryption painless. I just think GnuPG 
disables TOFU by default to not give users a false sense of security. But 
there's nothing stopping you from using an untrusted key (I think?)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kdepim-users/attachments/20200528/75a3e801/attachment.sig>

More information about the kdepim-users mailing list