[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    Fwd: [Bug 44699] can't encrypt with gpg if the receiver's key is not
From:       Martin Steigerwald <Martin () lichtvoll ! de>
Date:       2008-02-21 14:13:02
Message-ID: 200802211513.07842.Martin () lichtvoll ! de
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


Hi!

What's the official position on this one?

I know it has been discussed in the bug report quite a lot already, but 
actually I agree to Torsten Landschoff and various others.

I also set trust to ultimate in order to send out a message to a key which 
I did not yet verify. And hopefully I remember to set trust to unknown 
afterwards.

KMail IMHO should definately allow me to send a mail to a key that I do 
not completely trust. Its my choice and I know the risk that it might 
does not belong to the person I think it does. Still the mail is at least 
only decryptable by the owner of the mail (and me usually).

A warning in BIG FAT LETTERS is good, so that people are realising what 
they are doing. But if I say "Yes, I am sure", KMail should obey. 
Otherwise this would be like a webbrowser which doesn't let me browse 
HTTPS sites with unverified SSL certificate or a mail client which 
doesn't let me connect to mail servers with unverified SSL certificate.

No offence meant...

Ciao,
Martin

----------  Weitergeleitete Nachricht  ----------

Subject: [Bug 44699] can't encrypt with gpg if the receiver's key is not 
signed
Date: Donnerstag 21 Februar 2008
From: Torsten Landschoff <torsten@debian.org>
To: Martin@lichtvoll.de

------- You are receiving this mail because: -------
You are a voter for the bug, or are watching someone who is.
         
http://bugs.kde.org/show_bug.cgi?id=44699         




------- Additional Comments From torsten debian org  2008-02-21 
14:04 -------
Come on, this can't be true. kmail disallows me to send encrypted with an 
untrusted key - why!? Warning is okay, perhaps in bold letters and 
some "I am really sure" check.

This misfeature makes kontact all but useless for me. I won't go and sign 
any key of other Debian people I did not meet in person - I can't be sure 
the key matches the person. But at least it will only be readable by the 
person having the key, no t to every mail server in between us. 

For work I have a big list of keys which I won't sign. For one I know the 
person relating to the key, but I did never check any passports. So I 
won't sign them. So the "solution" to use kmail is to --lsign every key? 
Not!

While I am just using Thunderbird again in disbelief, others will happily 
sign every key just to be able to send an email. For me this looks like a 
security problem (the social engineering kind) and not like a wishlist 
bug.

Please fix this!

-------------------------------------------------------

-- 
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA  B82F 991B EAAC A599 84C7

["signature.asc" (application/pgp-signature)]

_______________________________________________
KMail developers mailing list
KMail-devel@kde.org
https://mail.kde.org/mailman/listinfo/kmail-devel


[prev in list] [next in list] [prev in thread] [next in thread]