[Bug 44699] can't encrypt with gpg if the receiver's key is not signed

Thu Feb 1 21:39:15 CET 2007

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
You are a voter for the bug, or are watching someone who is.

http://bugs.kde.org/show_bug.cgi?id=44699         

------- Additional Comments From thiago kde org  2007-02-01 21:39 -------
Let me make this clear:

1) KDE has to make compromises. Some choices are made. We can't let everything be permitted, or it becomes hell to be used, by anyone. You might as well scrub bits if that's the intention.

This is not to say that this is a *good* decision.

2) In your little exchange example above, you may have unintentionally leaked information. How sure are you that the person you're talking to is supposed to have those figures? If you are reasonably sure, why not sign the key in the first place?

3) I am not standing in the way of nobody. This bug isn't fixed because NO developer has stepped up to do it. In fact, I was voting *for* this bug. (I am no longer because I don't want to receive more mails about it)

4) SSL websites have this exact same problem: people see the little padlock icon and think it's all right to send their credit card numbers. The padlock icon in Konqueror and all the web browsers indicates that the data exchange is encrypted, meaning that only the destination can read it.

It does not mean the destination is who you think it is!

During the past two years, I have followed George Staikos's efforts with the other browser vendors to bring some order into this chaos. Encryption is useless without authentication.

Now, you may say that talking to someone via IRC or the phone should be enough to trust his email address. And why should it not? But I would also argue that if you trust it enough to send encrypted email, you trust it enough to sign the key.

But I no longer care about this bug. I have removed my vote so I won't get any more email about it.

Please, someone fix it. But at least make KMail show a warning that a key being used is not trusted at all. And don't add the "Don't show this message again" option. Security first.