Re: Trusting other keys a message was encrypted to

2015-11-08 Thread MFPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Sunday 8 November 2015 at 7:48:46 PM, in , Ingo Klöcker wrote: > As vedaal explained, anybody between the sender and you > can add arbitrary fake ESK packets to the message, > e.g. a packet for EvilPerson's

Re: Trusting other keys a message was encrypted to

2015-11-07 Thread Daniel Baur
Hello, Am 07.11.2015 um 12:10 schrieb MFPA: > But we *could* check to see if any of them gives > us cause for concern. I don’t really understand what is the earn here. If I send a encrypted message to you and EvilPerson (together in the same eMail), you receive the email and gpg would warn you

Re: Trusting other keys a message was encrypted to

2015-11-07 Thread MFPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Saturday 7 November 2015 at 2:01:38 AM, in , Kristian Fiskerstrand wrote: > [Sent from my iPad, as it is not a secured device there > are no cryptographic keys on this device,

Re: Trusting other keys a message was encrypted to

2015-11-06 Thread Kristian Fiskerstrand
[Sent from my iPad, as it is not a secured device there are no cryptographic keys on this device, meaning this message is sent without an OpenPGP signature. In general you should *not* rely on any information sent over such an unsecure channel, if you find any information controversial or

Trusting other keys a message was encrypted to

2015-11-06 Thread MFPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 While writing in the "TOFU for GnuPG" thread it occurred to me that GnuPG does not look at whether we "trust" the other keys to which an incoming message was encrypted. GnuPG looks at whether we "trust" keys we are about to encrypt to, and

Re: Trusting other keys a message was encrypted to

2015-11-06 Thread vedaal
On 11/6/2015 at 10:11 AM, "MFPA" wrote: While writing in the "TOFU for GnuPG" thread it occurred to me that GnuPG does not look at whether we "trust" the other keys to which an incoming message was encrypted. Wouldn't it be reasonable to also look at whether we "trust" other keys that are

Re: Trusting other keys a message was encrypted to

2015-11-06 Thread vedaal
vedaal at nym.hush.com vedaal at nym.hush.com wrote on Fri Nov 6 16:46:21 CET 2015 : Since you are not able to encrypt either the real or the fake Rumplestiltsken key, you have no way of knowing if the session key is genuine or not in that packet. = Sorry, typo, meant to say

Re: Trusting other keys a message was encrypted to

2015-11-06 Thread MFPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Friday 6 November 2015 at 3:46:21 PM, in , ved...@nym.hush.com wrote: > On 11/6/2015 at 10:11 AM, "MFPA" wrote: While writing > in the "TOFU for GnuPG" thread it occurred to me that >