On 2018-04-28, Teemu Likonen wrote: > When verifying an S/MIME message gpgsm (I think) asks whether I > ultimately trust some certificate authority to certify others and then > asks me to verify that a displayed fingerprint belongs to the authority. > How do I know? (So far I have pressed the "Cancel" button.)
You don’t. You should not trust them if you don’t know anything about them. > I went to the certificate authority's web page but couldn't find > fingerprints. That’s odd. Maybe they publish their certificates over HTTPS, from which you could extract the fingerprint. > That's not how CA system usually works anyway. Usually we are not > supposed to go searching the internet. Usually some experts have > taught web browsers or operating systems to automatically trust > certain authorities. So signature verification is transparent. They added “trust,” not trust. See [1] for my biased point of view (still pretty accurate despite its age; nowadays, I would add a pointer to Certificate Transparency [2]). > Any suggestions or information for practically managing S/MIME messages? Personally, I try to verify CAs’ fingerprints. Afterwards, I express my “trust” in other people’s choices of CAs when verifying their signatures (so, pretend “Yes” when asked about trust) but prefer OpenPGP over S/MIME whenever possible. Best wishes Jens [1] https://blogs.fsfe.org/jens.lechtenboerger/2013/12/23/openpgp-and-smime/ [2] https://www.certificate-transparency.org/ _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
