[messaging] Advertising public key in email (was: TOFU to ease PGP key discovery)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Feb 11 09:29:51 PST 2015
On Wed 2015-02-11 10:37:34 -0500, David Gil wrote:
> Using the same key for signing as for encryption gets vastly weaker
> security guarantees (i.e., Gap-DH for EC).There is no excuse for a
> new cryptosystem/deployment to do this.
Agreed.
> PS. Is messaging@ still forging 'From:' headers?
The message as in fact from you. Keeping the From: header intact is
hardly "forging".
https://tools.ietf.org/html/rfc5322#section-3.6.2 says:
The "From:" field specifies the author(s) of the message, that is,
the mailbox(es) of the person(s) or system(s) responsible for the
writing of the message. For example, if a secretary were to send a
message for another person, the mailbox of the secretary would appear
in the "Sender:" field and the mailbox of the actual author would
appear in the "From:" field.
The mailing list is acting as a glorified secretary here.
--dkg
More information about the Messaging
mailing list