Re: Ultimate trust

Subject: Re: Ultimate trust

Date: Sun, 22 Mar 2020 15:30:09 +0100

To: Teemu Likonen,


From: Tomas Nordin

Teemu Likonen <> writes:

> Tomas Nordin [2020-03-21T15:37:36+01] wrote:
>> This is probably a dumb question and not really an issue for Notmuch.
> Excellent questions but partly difficult to answer.
>> But it is when using notmuch (through emacs) I get this Gnome pop-up.
>> See attached image. Some senders are attaching some sort of signature
>> that I get to trust or cancel.
> The sender's mail client has used gpgsm or similar program to digitally
> sign the message content. The sender's key that made the message
> signature has been certified by some certificate authority. And you are
> asked if you trust this certificate authority to certify other's keys.
>> What does people do in this case, I tend to cancel it. How should I
>> relate to the question. How do I know if I could ultimately trust
>> something as asked.
> That is the difficult part. The right answer is probably that user
> should carefully check the certificate authority's key fingerprint,
> compare it to the fingerprint that the authority has published somewhere
> else, study the certificate authority's reputation in certifying
> people's keys, or something like that.
> And almost nobody does that because it's too difficult.
> I do this: I press "Yes" (to trust "ultimately") but then immediately go
> edit ~/.gnupg/trustlist.txt file and put "!" mark in the beginning of
> that certificate authority's key fingerprint. It marks that key
> untrusted (because I really don't know). Then: "gpgconf --reload
> gpg-agent".

OK, thanks. That already feels better, knowing I can revert this trust
easily like that. And some better understanding for whats going on.

Best regards
notmuch mailing list