Ultimate trust
Tomas Nordin
tomasn at posteo.net
Sun Mar 22 07:30:09 PDT 2020
Teemu Likonen <tlikonen at iki.fi> writes:
> Tomas Nordin [2020-03-21T15:37:36+01] wrote:
>
>> This is probably a dumb question and not really an issue for Notmuch.
>
> Excellent questions but partly difficult to answer.
>
>> But it is when using notmuch (through emacs) I get this Gnome pop-up.
>> See attached image. Some senders are attaching some sort of signature
>> that I get to trust or cancel.
>
> The sender's mail client has used gpgsm or similar program to digitally
> sign the message content. The sender's key that made the message
> signature has been certified by some certificate authority. And you are
> asked if you trust this certificate authority to certify other's keys.
>
>> What does people do in this case, I tend to cancel it. How should I
>> relate to the question. How do I know if I could ultimately trust
>> something as asked.
>
> That is the difficult part. The right answer is probably that user
> should carefully check the certificate authority's key fingerprint,
> compare it to the fingerprint that the authority has published somewhere
> else, study the certificate authority's reputation in certifying
> people's keys, or something like that.
>
> And almost nobody does that because it's too difficult.
>
> I do this: I press "Yes" (to trust "ultimately") but then immediately go
> edit ~/.gnupg/trustlist.txt file and put "!" mark in the beginning of
> that certificate authority's key fingerprint. It marks that key
> untrusted (because I really don't know). Then: "gpgconf --reload
> gpg-agent".
OK, thanks. That already feels better, knowing I can revert this trust
easily like that. And some better understanding for whats going on.
Best regards
--
Tomas
More information about the notmuch
mailing list