[pass] There is no assurance this key belongs to the named user

Matthew Cengia mattcen at gmail.com
Wed Apr 16 04:23:30 CEST 2014


On 2014-04-16 09:47, Chris Down wrote:
> Jason A. Donenfeld writes:
> > But before you do that, would you test if adding "--trust-model
> > always" to the relevant $GPG invocation suppresses that message?
> > 
> > And if it does, mailing list: do we want to add this?
> 
> My opinion: we are not security experts, we should let GPG do its thing
> and assume the user knows what they are doing. Modifying the trust model
> is not something that I think we should do.

I agree; setting --trust-model always is the Wrong Solution™. The user
should know enough GPG to be able to mark at least their own key as
trusted, otherwise GPG is pretty pointless.

-- 
Regards,
Matthew Cengia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: Digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20140416/4b13623e/attachment.asc>


More information about the Password-Store mailing list