On 12/13/2013 04:27 PM, Werner Koch wrote: > On Fri, 13 Dec 2013 21:24, [email protected] said: >> I think for a piece of critical security infrastructure, GPG has been >> supporting some insecure practices for far too long. > > Why do you think this is insecure? Because gpg does not encrypt to a > key and users work around this by using --always-trust?
yes, in this example, that's most likely the short path to an insecure
configuration. I think most users don't really understand the default
trust model, and that makes it more difficult for them to use the tool
securely. Exposing the UID validity is a step toward making the trust
model calculations more visible to users, which is necessary for
understanding.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
