https://bugs.kde.org/show_bug.cgi?id=353317
m.eik michalke <bugs.kde....@ad.gelduntergang.biz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugs.kde.org@ad.geldunterga | |ng.biz Ever confirmed|0 |1 Version|unspecified |5.13.3 Status|REPORTED |CONFIRMED --- Comment #2 from m.eik michalke <bugs.kde....@ad.gelduntergang.biz> --- i can replicate the issue, i.e., i actually just ran into the same thing, using kmail 5.13.3. this should be considered as a security issue, as someone can be tricked into believing an e-mail came from a certain person when it actually did not. this probably was less of a problem in 2015, but today web key directory support (which is a good thing!) automatically imports available OpenPGP keys into your keyring as soon as you have a fitting mail address in the To: field of the editor (you don't even have to send a mail). even if those addresses aren't signed by you, here's a potential for confusion. kmail should always verify that the sender address is a valid identity of the OpenPGP key used for signing. i would also add that info to the details. -- You are receiving this mail because: You are watching all bug changes.