Does the gateway support the web of trust?

Currently only self signed signatures are supported. For example a User ID is only accepted if it is self signed and if the signature is not revoked or expired. Sub keys must also have a valid self signed sub key binding signature (if the sub key is also a signing sub key, there must also be a valid primary key binding signature). Theoretically, the web of trust of a great idea. However it’s difficult to completely understand.

Is a key trusted by default?

The gateway does not trust a PGP key by default. A key which is not trusted is not used for signing or encryption. A key can be trusted by opening the key details page and then selecting key trust. By default all sub keys will be trusted as well (unless the Include sub keys is not selected).

Which keys are used for encryption?

Keys are suitable for encryption if the keys are valid (i.e., trusted, not revoked and not expired etc.) and are valid for encryption and if the email address of the recipient matches the assocoated email addresses or domains of the key. A message is encrypted with all suitable encryption keys, in other words, if there is more then one encryption key which is suitable for encryption, the email will be encrypted with all the suitable keys.

Why is Incoming PGP/INLINE not enabled by default?

With PGP/INLINE, every individual part of the message (attachments and message bodies) is individually protected (signed and/or encrypted). To determine whether or not a message is PGP/INLINE protected, the complete message must be scanned. A PGP/INLINE message does not contain a specific header which can be used to determine whether the message is PGP/INLINE protected. Scanning every incoming email completely from top to bottom can be resource intensive, especially for very large attachments. It is therefore advised to leave Incoming PGP/INLINE enabled unchecked (i.e., disabled) unless PGP/INLINE support for incoming email is a requirement.

What is “Auto update email addresses”?

If Auto update email addresses is selected, all the email addresses found in a valid User ID of a PGP key will be automatically associated with the key. Only User IDs with a valid self signed signature will be used. If Auto update email addresses is not selected, email addresses should be manually associated with the key. This is a global only option. The reason you might consider to disable this option, i.e., not automatically associates the key with the email addresses from the User IDs, is that a User ID is not validated. In principle the owner of a key add any email address even if he or she does not own the email address. By disabling Auto update email addresses, the admin should manually validate whether the email address from the User ID is valid and should then manually associate the email address.

What happens if I click “refresh public keys”?

When refresh public keys is clicked and keys are selected, those key are fetched from the registered key server(s) and imported. The fetched keys are merged with the existing key. So for example if there are new User IDs, those User IDs will be added to the existing key. Only new signature, User IDs etc are added to the existing key, nothing is removed. For example if the existing local key is revoked but the key on the key server is not revoked, the local key will still be revoked.