[messaging] Advertising public key in email (was: TOFU to ease PGP key discovery)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Feb 11 09:29:51 PST 2015


On Wed 2015-02-11 10:37:34 -0500, David Gil wrote:
>  Using the same key for signing as for encryption gets vastly weaker  
>  security guarantees (i.e., Gap-DH for EC).There is no excuse for a   
>  new cryptosystem/deployment to do this.                              

Agreed.

>  PS. Is messaging@ still forging 'From:' headers?                     

The message as in fact from you.  Keeping the From: header intact is
hardly "forging".

https://tools.ietf.org/html/rfc5322#section-3.6.2 says:

   The "From:" field specifies the author(s) of the message, that is,
   the mailbox(es) of the person(s) or system(s) responsible for the
   writing of the message.  For example, if a secretary were to send a
   message for another person, the mailbox of the secretary would appear
   in the "Sender:" field and the mailbox of the actual author would
   appear in the "From:" field.

The mailing list is acting as a glorified secretary here.

   --dkg


More information about the Messaging mailing list