| |||||||||||||
Authenticating Git pull requestsAuthenticating Git pull requestsPosted Nov 18, 2011 14:42 UTC (Fri) by jflasch (guest, #5699)Parent article: Authenticating Git pull requests
GPG signing of emails has been around for more then 10 years but almost no one still does it. Now after a few break ins people are discovering something that they should had been doing 10 years ago, really this is a sorry state of things.
It's sad that a company like Google still does not allow GPG with there web mail interface, that said everyone knows why. The use of GPG signing would most likely eliminate Spam and this would change company's like Groupon forever. Knowing who sent a email makes email filtering easy and how do email providers give you something to make there product look better then others.
Even among top kernel developers we have such a slow rate of adoption GPG should have been every where 10 years ago, but still Spam continues to slow this rate of adoption. I am always amazed.
(Log in to post comments)
Authenticating Git pull requests Posted Nov 18, 2011 16:32 UTC (Fri) by nybble41 (subscriber, #55106) [Link]
> It's sad that a company like Google still does not allow GPG with there web mail interface...
Since when? I've never heard of people having trouble sending GPG-signed messages via the web interface. Sure, they don't integrate the feature, but you can always paste an ASCII-armored signed message, or use an extension like FireGPG. Anyway, would you really want Google to have access to your private signing key? They'd need it for that level of integration.
Authenticating Git pull requests Posted Nov 18, 2011 17:38 UTC (Fri) by mathstuf (subscriber, #69389) [Link]
They could have a setting where you give your fingerprints and then the interface can mark emails based on trustworthiness given the public chain of trust with the keys. Sure, signing in-browser is something I'd never do, but *verifying*...that should be possible.
Authenticating Git pull requests Posted Nov 18, 2011 18:31 UTC (Fri) by nybble41 (subscriber, #55106) [Link]
Oh, I agree that public key management and verification in the web client could be useful (though it could also be subverted more easily than a local GPG installation and keyring). Integration with the key server network, links between contacts and public keys, etc., would be very convenient, provided you could trust it. You wouldn't be able to decrypt anything, but perhaps you only want to verify signed cleartext.
However, you'd still need GPG on your own system to send signed messages, and a local public keyring for encryption. Once you have that plus a browser extension like FireGPG, how much extra benefit would the direct integration bring?
Authenticating Git pull requests Posted Nov 18, 2011 18:41 UTC (Fri) by mathstuf (subscriber, #69389) [Link]
When I'm using someone else's computer to check email? Like I said, I'd never trust my browser to touch my private keyring, so that isn't a question for me. Friends who know approximately nothing of GPG could get a message stating that there is *some* reason to expect that the email I sent is actually from me other than the From header.
This brings up the problem that there needs to be a way to communicate that a signature is expected. Anything in the mail doesn't work, so there needs to be some server-side implementation for this.
|
|||||||||||||