| |||||||||||||
Authenticating Git pull requestsAuthenticating Git pull requestsPosted Nov 18, 2011 16:32 UTC (Fri) by nybble41 (subscriber, #55106)In reply to: Authenticating Git pull requests by jflasch Parent article: Authenticating Git pull requests
> It's sad that a company like Google still does not allow GPG with there web mail interface...
Since when? I've never heard of people having trouble sending GPG-signed messages via the web interface. Sure, they don't integrate the feature, but you can always paste an ASCII-armored signed message, or use an extension like FireGPG. Anyway, would you really want Google to have access to your private signing key? They'd need it for that level of integration.
(Log in to post comments)
Authenticating Git pull requests Posted Nov 18, 2011 17:38 UTC (Fri) by mathstuf (subscriber, #69389) [Link]
They could have a setting where you give your fingerprints and then the interface can mark emails based on trustworthiness given the public chain of trust with the keys. Sure, signing in-browser is something I'd never do, but *verifying*...that should be possible.
Authenticating Git pull requests Posted Nov 18, 2011 18:31 UTC (Fri) by nybble41 (subscriber, #55106) [Link]
Oh, I agree that public key management and verification in the web client could be useful (though it could also be subverted more easily than a local GPG installation and keyring). Integration with the key server network, links between contacts and public keys, etc., would be very convenient, provided you could trust it. You wouldn't be able to decrypt anything, but perhaps you only want to verify signed cleartext.
However, you'd still need GPG on your own system to send signed messages, and a local public keyring for encryption. Once you have that plus a browser extension like FireGPG, how much extra benefit would the direct integration bring?
Authenticating Git pull requests Posted Nov 18, 2011 18:41 UTC (Fri) by mathstuf (subscriber, #69389) [Link]
When I'm using someone else's computer to check email? Like I said, I'd never trust my browser to touch my private keyring, so that isn't a question for me. Friends who know approximately nothing of GPG could get a message stating that there is *some* reason to expect that the email I sent is actually from me other than the From header.
This brings up the problem that there needs to be a way to communicate that a signature is expected. Anything in the mail doesn't work, so there needs to be some server-side implementation for this.
|
|||||||||||||