[ale] Commentary about PGP / GPG key generation...

Jeremy T. Bouse jeremy.bouse at undergrid.net
Wed Nov 30 13:24:12 EST 2011


On 11/30/2011 11:38 AM, Michael B. Trausch wrote:
> On Tue, Nov 29, 2011 at 09:37:24PM -0500, Jeremy T. Bouse wrote:
>> * Make sure the email address you use for your UID is correct and
>>   doesn't block or do challenge/response. I mention this as I use an
>>   additional measure of sending the signed key back encrypted to the
>>   sender rather than uploading my signature back to the
>>   keyserver. This is to ensure possession of both the private key
>>   and the email address.
> 
> Why would you ask that the mail site not do challenge/response?  C/R
> in email is a great way to ensure that one doesn't get (a lot of)
> spam, and it's really not an inconvenience to deal with...
> 

	Because I use an automated system to send out the emails with the
encrypted signed key back to the key owner UID email address. C/R
systems would then hinder that delivery. I also find that simple
greylisting does a much better job of limiting spam than C/R systems.

>> * Be sure you've published your key to a keyserver. When I go to
>>   sign a key I pull it from the keyserver into a temporary keyring
>>   before signing. This ensures the key doesn't get into my actual
>>   public keyring until after it's signed and been sent to the
>>   keyserver by the keyholder.  If a key doesn't exist on a keyserver
>>   than I don't end up pulling it down and my routines won't sign the
>>   key.
> 
> What if the person doesn't want to upload their key to a keyserver?
> (Not that I can actually think of a reason that one might want to
> avoid doing so, but I'm sure that there are people that would rather
> not.)  Isn't the important thing to verify the owner and fingerprint
> of the key?  Who cares how they distribute the key if it has
> signatures on it?
> 
> Am I missing something, or still thinking too foggy to be mucking
> about in my email box?  :)
>

	I can't actually come up with any good argument why a key would not
want to be submitted to a key server if it is a key used to communicate
with others. Now I have other keys that I use for internal things, such
as encrypting my duplicity backups, that are not submitted to a key
server because they aren't used to communicate with others. That said if
you want send an email to someone encrypted or even signed, as a
recipient I'm gonna raise an eyebrow or two if the public key to
validate it is sent as an attachment from the same person and not from a
trusted third-party like a key server. Especially if that key has not
been signed by myself or someone I trust.

	Again I have an automated system that pulls the keys to be signed into
a clean temporary keyring. If the key isn't available it doesn't get
pulled down and made available to sign. Besides having my key submitted
to a keyserver, I also publish PKA records in DNS for any address I
maintain control over DNS and have a GPG key issued for. This allows
multiple ways for my key to be auto-retrieved if trying to send an
encrypted message to me.

	I also go as far as having a published key usage policy that I then
encode the URL and checksum in my signature. I'm probably more than
likely the 1% when it comes to GPG key usage. Those that know I check as
stringently thus tend to have more faith in my signature being attached
to a given key.

> 	   --- Mike
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 294 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20111130/3e9034e9/attachment.bin 


More information about the Ale mailing list