Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] My design to implement PGP in commercial email system

Percy Alpha percyalpha at
Mon Jul 29 17:10:16 PDT 2013

To boyska,

> but what if Gmail provides a fake key for B? Why should you
> automatically trust that key?
> Also, I miss the point of signatures: A signs B's key, but noone cares
> about that signature in that scheme. Am I missing something?

"At first time, B's public key will be downloaded from Google and signed by
A.". "Any subsequent times, A also verifies the authenticity of B's key".
So Google can provide a fake key only at the first time. I said "For
advanced users, Google can present the option to manually verify the public
key for the first email". Google cannot MITM any subsequent communications
because fake key of B is not signed by A and will be detected.

I think that this scheme relies on trust on your email provider and on
> https not being MITM-ed, which I think is not common between people that
> want to use PGP.
I'm targeting the common people(email provider to the common people),not
the existing PGP users.
Now, only people who are technical savvy can make the conscious decision to
use PGP. My design is totally transparent to the users and can greatly
boost the privacy of common communications without users even knowing what
PGP is. Those high profile users can keep using the desktop version.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list