Tony Finch <dot@xxxxxxxx> writes: > John R Levine <johnl@xxxxxxxxx> wrote: >> >> A straightforward example is that the mail system, through malice or outside >> pressure, does an MITM attack on users who have their own keys, so it >> publishes a key it controls and re-encrypts mail on the way through to the >> user's own key. > > The user should notice this since their encrypted mail will appear to come > from their mail provider not from the sender. (PGP signature doesn't > match 822 From:) Not really -- OpenPGP does not reveal anything about the identity of the encrypting entity. If the mail provider signed the email, it would be noticeable, but there is no requirement to sign encrypted emails. /Simon
Attachment:
signature.asc
Description: PGP signature