[ale] Commentary about PGP / GPG key generation...
Michael B. Trausch
mike at trausch.us
Wed Nov 30 11:38:21 EST 2011
On Tue, Nov 29, 2011 at 09:37:24PM -0500, Jeremy T. Bouse wrote:
> * Make sure the email address you use for your UID is correct and
> doesn't block or do challenge/response. I mention this as I use an
> additional measure of sending the signed key back encrypted to the
> sender rather than uploading my signature back to the
> keyserver. This is to ensure possession of both the private key
> and the email address.
Why would you ask that the mail site not do challenge/response? C/R
in email is a great way to ensure that one doesn't get (a lot of)
spam, and it's really not an inconvenience to deal with...
> * Be sure you've published your key to a keyserver. When I go to
> sign a key I pull it from the keyserver into a temporary keyring
> before signing. This ensures the key doesn't get into my actual
> public keyring until after it's signed and been sent to the
> keyserver by the keyholder. If a key doesn't exist on a keyserver
> than I don't end up pulling it down and my routines won't sign the
> key.
What if the person doesn't want to upload their key to a keyserver?
(Not that I can actually think of a reason that one might want to
avoid doing so, but I'm sure that there are people that would rather
not.) Isn't the important thing to verify the owner and fingerprint
of the key? Who cares how they distribute the key if it has
signatures on it?
Am I missing something, or still thinking too foggy to be mucking
about in my email box? :)
--- Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 665 bytes
Desc: not available
Url : http://mail.ale.org/pipermail/ale/attachments/20111130/406161fe/attachment.bin
More information about the Ale
mailing list