Encryption with Gnu Privacy Guard (GPG) (opens in new tab)

I learned this the hard way when using gpg+mutt back in 2001. All my Sent mail was being encrypted only with the recipient's key, so I couldn't read it myself. There's an option to also encrypt outgoing email with your own GPG key.

Thank you. Does it weaken the encryption strength ?

Specifically "check a signature". Even everyone that knows how to sign fail to really check anything. Honestly, if it aint boiled down to a green or red icon then people are going to misuse, assume security when its not, or just click "yes".

If you get a new public key for someone, and it's signed by someone else you don't know (most of the time this is the case) are you going to bother to utilise that signature to increase the trust? No. Are you going to assume increased trust somehow regardless? Yes. FAIL.

Modify it further, if it is signed by someone you do know what are the chances your UI is going to give you any sort of indication that this is more trusted that other message workflows? And if it doesn't give you any indication (most leave it up to you to check) who's gonna bother to look just passed "your friend <yourfiendsname@company>" ASCII and actually check the key? no one. FAIL.

PGP WoT fails miserably.

I don't know if it's very useful even if you do know how to sign keys and verify signatures.

No it doesn't. See the section titled "Generating revocation key"

> My best guess is that they do not want to buy into the CA infrastructure and provide security using GPG itself.

This may be true (I really have no idea) but isn't it like travelling on a highway at night with your normal lights turned off because you have a better system based on infrared? After reading about the story of that guy who hacked into a computer by MITMing the notepad++ site, I became even more convinced that all pages must have certificates. Nowadays it's also possible to get a basic ssl cert for free, I can't figure out what the catch is really.