Message signing popups....

[test]

On Thursday, May 28, 2020 10:50:57 PM CEST Ingo Klöcker wrote:
> On Donnerstag, 28. Mai 2020 08:43:28 CEST strato_test wrote:
> > On Thursday, May 28, 2020 2:35:36 AM CEST John Scott wrote:
> > > If you're using Debian or a derivative by chance, there is a gpgsm (GPG
> > > for
> > > S/ MIME) bug related to it not importing system certificates. Unless the
> > > distro provides the specific integration, gpgsm has no certificate
> > > authorities to go off of by default.
> > > 
> > > Using my S/MIME certificate too now out of spite :)
> > 
> > Since I have returned to kmail (the message display in evolution makes it
> > too difficult to see which messages are read and which aren't): I'm
> > sometimes getting the same pop-up --- and since we are at this: What is
> > the
> > point of the signature verification?
> > 
> > Unless I have met the person and have personally exchanged keys with them,
> > I do not know who sent the message.
> 
> There are two different approaches for certificate validation. You are
> referring to personal certificate validation and the web-of-trust, that's
> usually used with OpenPGP certificates.
> 
> In contrast, S/MIME certificates are usually signed by trusted certificate
> authorities (CAs) in a PKI. This is similar to the issuing of identity
> cards/ passports by trusted official authorities. The advantage of such a
> centralized approach is that you only need to trust the CAs. The
> disadvantage of this centralized approach is that CAs cannot really be
> trusted. See my other message in this thread.

So both John and you are basically saying the same thing: You would have to 
trust that something encrypted can be trusted just because it involves some 
form of encryption.

How is that supposed to be useful, and how doesn't it create a false 
impression of security?