Semi-off-topic - Netiquette ?

[David Shaw]

On Mon, Jul 16, 2001 at 02:12:37PM -0400, Toxik - Fabian Rodriguez wrote:
> Hi,
> 
> I'd like to know if there's any netiquette guide for mail encryption
> ? For example, how to publish your public key, why sending and
> encrypted email in the first post is "rude"... ? It's for a (very)
> general-public guide we are preparing for our users, I would also
> make it part of my information page on encryption. If such a guide
> already exists, I'd like to improve it, instead of writing one from
> scratch with my limited hands-on experience.

The guidelines are different for different uses of email.  For
person-to-person email, it's just fine to send encrypted email.  If
the person has a public key posted somewhere (web page or keyserver),
they can be presumed to accept encrypted email.  The worst thing that
can happen is you'd get back a note asking you to re-send in the
clear.

For mailing list or other public forum (like Usenet), encrypted
messages are frowned on.  Not really because of rudeness or etiquette,
but because it is mostly pointless - the message is going to "the
world", so you'd have to encrypt it to everyone on the list, which
mostly defeats the point of encryption.  You would also need a key for
everyone on the list/newsgroup which is unlikely to happen except on
certain specific lists - it's likely that everyone on this list has a
key, as this list is about GPG.  It's very unlikely to be the case on
a list with a different topic.

It is frowned upon to post your public key in each message.  There are
better ways to distribute keys (keyservers, web pages, etc) than to
keep sending it out in every mail.  It is, however, just fine to
include your key ID and fingerprint in each mail - it's a heck of a
lot shorter than the whole key.  Note that including your key
fingerprint isn't like signing the message - all it does is provide a
way for someone reading the message to get your key.  For very
prolific posters, it also provides a certain amount of weak evidence
the key is yours.  If someone wanted to spoof your key, it would be
very difficult to get around the many messages you had sent in the
past with your true fingerprint.  I say "weak" evidence, since
obviously key signatures and the web of trust is a much stronger
solution for this.

Clear signatures are generally accepted in any messages, public or
private.

Finally, remember that these are just guidelines, and a particular
mailing list may have other guidelines and rules.  Still, most lists
that I've seen follow the guidelines above.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson