PGP uses the “Web of Trust” for the mutual signing of encryption keys to ensure users can verify and trust the authenticity of other users. How does this work with mailbox.org Guard?
There is currently no support implemented in mailbox.org Guard for the management and analysis of keys received from other users or from potentially unsafe third-party repositories.
Instead, mailbox.org Guard operates on the basis that you will retrieve public keys directly from your communication partners and then manually add them to your key ring. Currently, we are relying on your judgement to only import valid keys that do not require external signing.
Before you import a new PGP key, it is vital that you review the additional information that comes with it. Please verify with your communication partner the fingerprint and other security attributes using a secure second channel, such as by phone, text, messenger, or snail mail.