[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    Re: Problems sending encrypted messages
From:       Ingo =?iso-8859-15?q?Kl=F6cker?= <ingo.kloecker () epost ! de>
Date:       2002-01-31 18:19:54
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Volker Augustin wrote:

> Actually I am wondering if it is really such a good idea to prevent
> encryption to untrusted keys. If I really want to encrypt to that 
> key, I have to sign or locally sign the key. So if I cannot for 
> whatever reason verify the key, I'll only sign it locally. However, 
> after I did this, I might forget about it. And so, in the future I 
> might be tempted to think, that I *did* verify this key in the past.
> For that reason it might be better to allow users to encrypt to
> unverified/ untrusted keys. Maybe popup a warning message each time.

It's too late for this because we are in a message freeze. ;-)
But the real reason is that I didn't want this because:
1.) We would have to treat GnuPG and PGP differently because the usage 
of untrusted keys is only possible with gpg (and the completely 
outdated PGP 5 AFAIK). But all classes (except the program dependant 
classes derived from Kpgp::Base) should be free of any hacks which only 
apply to one of the supported programs.
2.) man gpg:
	--always-trust
                 Skip  key  validation  and assume that used keys
                 are always fully trusted.  You  won't  use  this
                 unless  you have installed some external valida­
                 tion scheme.
    Do we (or you) have an external validation scheme? No!
3.) This feature (not allowing encrytion with untrusted keys) will 
probably accelerate the growth of the web of trust because now KMail 
users are forced to sign keys if they want to use them. Hopefully they 
won't just sign them locally (or even worse, globally without checking 
the key owner's identity). I know that this is wishful thinking. :-(

Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8WYrPqUQWN/hplRsRAnMTAJ0bqZMxpfHcmtiO4FaIIokg3lxCmgCeOeqR
4Ek5oaytIUnCiKE+ZxrEc5w=
=hq7P
-----END PGP SIGNATURE-----
_______________________________________________
kmail Developers mailing list
kmail@mail.kde.org
http://mail.kde.org/mailman/listinfo/kmail
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic