undefined | Better HN

0 pointstzs4y ago0 comments

> PGP key discovery is hard to do securely. Do you just trust what’s on the public keyserver? Do you use RFC 7929?

In the case up above in this thread branch of the poster's bank not emailing statements because it is not secure, key discovery would be easy. The bank would have a form available only when logged in to their online banking site to enable statements by email with a way to upload your public key.

My guess is that for most people who could benefit from emailing encrypted documents it is similar. They have a good secure channel to give the other party their public key.

I'd rather that something better than PGP be used though.

0 comments

md_4y ago

Yeah, I think that’s fair.

As a nerd, it does seem to me like I should be able to give the bank a public key and let me worry about my own security. But I don’t think this is actually what the bank or the user wants—they don’t want encryption per se, they want authentication, and an HTTPS link in an email (that you have to login to view) achieves that.

j / k navigate · click thread line to collapse