Re: Trusting other keys a message was encrypted to

2015-11-08 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Sunday 8 November 2015 at 7:48:46 PM, in
, Ingo Klöcker wrote:


> As vedaal explained, anybody between the sender and you
> can add  arbitrary fake ESK packets to the message,
> e.g. a packet for  EvilPerson's key. So, the attacker
> could make you think that EvilPerson could also read
> the message even though EvilPerson can't. Lacking
> EvilPerson's private key you have no way of telling
> whether the ESK  packet is genuine or fake.
> Consequently, drawing conclusions solely from the
> presence (or absence) of other ESK packets seems like a
> bad idea.

Fair enough.


- --
Best regards

MFPA  

The meaning of life is to find your gift.
The purpose of life is to give it away.
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJWP82aXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwbWAIAJWcoF0p6dDTo0nT+dZs4jg6
10IOlugNt6i59kaSbrCA89qHrl2s1dVcdFY/d3MRZ+T0qg1MnhtzRx+iSgwU7S1P
ppdSH4qSmyx4afMcjKjXQJwMLI/g95zaSQjkj0r/WDXj5OE3x9LVj0fK6LG6oCdQ
J/bAIuIeeH4dH2HeXtO6OYUUTY2TvxxB2BQUGRprqnaJm1EpS4GvJVCsFcAstAx3
ETwMe4T+7cHZ3X5WEymnlPzbF5SINWobwjoouQvZWr0t1bnJYoYtAtxoUhmFs4hs
YlZGHO0gGRIvbmqxNVaPXRY1+vo3eWXAWnm876kFOL1iUua70jV0/wCLb8VP3aWI
vgQBFgoAZgUCVj/NoF8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45J2/AQCnOFqLRGz0anMEVeKMYhbOwiYY
JLvrkcbl9829d4PH8AEAih30CpicFipsG2aSRjEvAGVqgZWlldu0DPsfK6xl3AA=
=F3+u
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trusting other keys a message was encrypted to

2015-11-08 Thread Ingo Klöcker 
On Saturday 07 November 2015 17:31:38 MFPA wrote:
> On Saturday 7 November 2015 at 12:30:53 PM, in
> , Daniel Baur wrote:
> > I don’t really understand what is the earn here.
> > 
> > If I send a encrypted message to you and EvilPerson
> > (together in the same eMail), you receive the email and
> > gpg would warn you “Heh, you don’t trust EvilPerson!”:
> > What would improve? The EvilPerson received already the
> > email, neither you or I could do anything about that.
> 
> Having it flagged up to me that "EvilPerson" can also read the message
> may cause me to act differently in response to the message contents,
> or to act differently in future dealings with the sender.

As vedaal explained, anybody between the sender and you can add 
arbitrary fake ESK packets to the message, e.g. a packet for 
EvilPerson's key. So, the attacker could make you think that EvilPerson 
could also read the message even though EvilPerson can't. Lacking 
EvilPerson's private key you have no way of telling whether the ESK 
packet is genuine or fake. Consequently, drawing conclusions solely from 
the presence (or absence) of other ESK packets seems like a bad idea.


Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users