Hi Ralf-- On 10/15/2013 05:14 PM, Ralf Jung wrote:
> why does Enigmail refuse to use an unsigned key for encryption? A friend
> of mine recently contacted me via encrypted mail, and while I was able
> to get her key from a keyserver, I couldn't get a signature for it, so I
> decided to do that later but reply now. However, after hitting "Send",
> when Enigmail asked me which key to use for encryption, her key was
> marked red and I wasn't able to encrypt the mail - so I had the choice
> of signing a key I did not verify at all, or sending an unencrypted
> email. Why is that?
enigmail relies on gpg for the association between keys and e-mail
addresses. gpg understands (correctly) that the keys in your keyring
are effectively populated over the network (e.g. keyserver fetches) and
shouldn't be considered validly-bound to their claimed user IDs without
some other indication that the user does actually believe these keys to
belong to the indicated user.
This is a good thing -- it makes it so that if you import a key from
someone else who happens to claim to have your friend's e-mail address,
enigmail won't accidentally encrypt your messages to that other person.
In the situation you describe, where you suspect that a given key
belongs to your friend, and you are willing to use it for now, i would
use a time-limited (a few months perhaps?) local (a.k.a.
"non-exportable") signature on just the User ID i plan to correspond
with, and then do my best to confirm her key's fingerprint securely
within the time limit, so i could go ahead and do a regular keysigning.
hope this helps,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
