Version: 1.12.1 (using 4.3.1 (KDE 4.3.1), Gentoo) Compiler: x86_64-pc-linux-gnu-gcc OS: Linux (x86_64) release 2.6.30-hh2 I'd love to be able to tell KMail to automatically attach my public GnuPG key and all public GnuPG keys of the receivers to each email I send (and sign/encrypt). Along with the option to automatically import any attached GnuPG key, that would open the possiblity of using GnuPG without the need for central keyservers: If I sign a key, its owner will automatically get the updated version once he gets an email from me. And since GnuPG keys aren't verified via "I have it" but via the web of trust, this would be completely safe. No longer needing the keyservers would also alleviate a privacy concern. Currently people can find the people who verified my key by getting my key from a keyserver. By doing key spreading and signature merging decentrally (by sending mails), this type of analysis will become much less threatening, since the data will very likely be incomplete. People would have to get the public key directly from me or from some of their contacts to be able to do a signer-analysis - and they couldn't easily broaden it by getting the signed keys from my signers from the servers. All this can be accomplished by adding the two options "always attach my public key and the keys of all public receivers (only "TO" and "CC"!) and "always import attached GnuPG keys". Best wishes, Arne
Thank you for your feature request. Kmail1 is currently unmaintained so we are closing all wishes. Please feel free to reopen a feature request for Kmail2 if it has not already been implemented. Thank you for your understanding.
Instead of creating a new feature request, please confirm here if the wishlist is still valid for kmail2.
itβs still valid, yes.
(In reply to comment #0) > I'd love to be able to tell KMail to automatically attach my public GnuPG > key and all public GnuPG keys of the receivers to each email I send (and > sign/encrypt). In other words: If I get 100 emails from you then I get 100 copies of your certificate, making the search for emails with an attachment completely useless? Are you serious about that, do you want to get rid of your friends...? And you are aware that only the key owner should change public versions of his certificate? Maybe he doesn't want your certification to be seen on his key. Of course, you can avoid this problem with some above average crypto knowledge... > Along with the option to automatically import any attached GnuPG key, that > would open the possiblity of using GnuPG without the need for central > keyservers: If I sign a key, its owner will automatically get the updated > version once he gets an email from me. Why not act like the rest of the world and send the certificate to the key owner immediately after creating it? 99% of the users don't care about this problem. The 1% can send you a mail and ask for the others' certificates. The problem you mention does exist but has to be solved at another layer. This will probably be done by moving the responsibility for keyservers to the mail server owner (who knows that you send the mail anyway).
At Sat, 04 Jan 2014 10:42:20 +0000, Hauke Laging wrote: > In other words: If I get 100 emails from you then I get 100 copies of your > certificate, making the search for emails with an attachment completely > useless? Are you serious about that, do you want to get rid of your friends...? This is a non-issue for me: I also sign all email I send (attaches a *.asc file), so another attachment does not affect the search for mails with attachments. The lternative is an inline-signature - which might actually get some people to stop reading my mails. It would be nice, if most mail clients would show signatures differently than regular attachments, but for that to become a reality, more people need to sign their emails. The only problem I see is the possibly large size of the keys with all their signatures. > And you are aware that only the key owner should change public versions of his > certificate? Maybe he doesn't want your certification to be seen on his key. Of > course, you can avoid this problem with some above average crypto knowledge... You could just encrypt the recipients keys to the recipients automatically. Then they can decide whether they want to spread your signature. Note, though, that every signature is effectively public except if both participants already have crypto-knowledge. The others keys could be stripped, so they only contain my signature (reducing the size of those keys). > > Along with the option to automatically import any attached GnuPG key, that > > would open the possiblity of using GnuPG without the need for central > > keyservers: If I sign a key, its owner will automatically get the updated > > version once he gets an email from me. > > Why not act like the rest of the world and send the certificate to the key > owner immediately after creating it? 99% of the users don't care about this > problem. The 1% can send you a mail and ask for the others' certificates. Because that currently does not work. How many people actually use GnuPG? I'd be happy to see another solution, though. > The problem you mention does exist but has to be solved at another layer. This > will probably be done by moving the responsibility for keyservers to the mail > server owner (who knows that you send the mail anyway). Will the mail-servers I currently use support this? I fear that without legislative action, this will only increase the incompatibility problems - because the public does not know crypto. What I wish for is a seamless GnuPG experience: Setup the key once, the maybe say "yes, I want to include this signature" from time to time and otherwise just get encrypted email wherever both participants have GnuPG - starting at least from the first *answer*. An advantage here is, that I am not dependent on the mail provider to supply the feature (there are far less mail-clients that mail-providers) and that there is no need for a public list of existing keys. Best wishes, Arne
At Sat, 04 Jan 2014 20:24:53 +0100, Arne Babenhauserheide wrote: > > At Sat, 04 Jan 2014 10:42:20 +0000, > Hauke Laging wrote: > > In other words: If I get 100 emails from you then I get 100 copies of your > > certificate, making the search for emails with an attachment completely > > useless? Are you serious about that, do you want to get rid of your friends...? > > This is a non-issue for me: I also sign all email I send (attaches a *.asc file), so another attachment does not affect the search for mails with attachments. The lternative is an inline-signature - which might actually get some people to stop reading my mails. > > It would be nice, if most mail clients would show signatures differently than regular attachments, but for that to become a reality, more people need to sign their emails. The only problem I see is the possibly large size of the keys with all their signatures. And this could be resolved by simply keeping a list of people whio already received the current version of my key. Then you would not get 100 copies of my key but rather 3 or 4: Only those where the signatures changed from the last time you got my key. Best wishes, Arne