Re: [openpgp] key distribution by email strategy

Steffen Nurpmeso <> Fri, 11 December 2020 20:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9C3D93A0F09 for <>; Fri, 11 Dec 2020 12:28:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Kiym4IbMSKMy for <>; Fri, 11 Dec 2020 12:28:20 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B99883A0EDF for <>; Fri, 11 Dec 2020 12:28:19 -0800 (PST)
Received: by (Postfix, from userid 1000) id 5103916057; Fri, 11 Dec 2020 21:28:18 +0100 (CET)
Date: Fri, 11 Dec 2020 21:28:18 +0100
From: Steffen Nurpmeso <>
To:, Heiko Schaefer <>
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <>
Mail-Followup-To:, Heiko Schaefer <>
User-Agent: s-nail v14.9.19-179-g6a1d3a31-dirty
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in the world can make no bugs.
Archived-At: <>
Subject: Re: [openpgp] key distribution by email strategy
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 Dec 2020 20:28:29 -0000

Werner Koch wrote in
 |On Fri, 11 Dec 2020 13:22, Heiko Schaefer said:
 |> The autocrypt standard is established, and quiet a few projects support
 |> it (
 |Autocrypt is bound to mail use cases and can't be used in other
 |environments.  Remember that mail is only one use-case; there are many
 |other important use cases.

Also it is a tremendous waste to include kilobytes of data (for
usual key types) in each and every mail for nothing, even if the
mail as such is not even signed!
And if it is signed, then everything you want is included anyway
.. no?

 |Key discovery has never been in the scope of OpenPGP.  The standard
 |provided means to implement systems but does not enforce the use of one.
 |That limited scope worked very well over the last 23 years.
 |Noet that I do not say that such topics ares out of scope for this
 |mailing list; merely for the OpenPGP standard.  In fact, over all the
 |years this list has also been used as an implementers forum.

I personally (not yet supporting OpenPGP for at least one more
year, but S/MIME) am also of the opinion that _if_ you discover to
have an immediate, real need to start a secure, encrypted
communication with someone that you have not yet exchanged keys
with, then you can very well send a small message in advance and
ask for a public key, or how and where to get it.  I admit,
i never understood autocrypt.

|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)