making it easy to find keys

Adrian von Bidder avbidder at fortytwo.ch
Thu Dec 4 08:49:07 CET 2003


On Thursday 04 December 2003 01:55, Atom 'Smasher' wrote:
[where to put the public key]

> assuming that a public key is armored, should the file suffix be ".txt" 
> or[...]
> should the file name be [...]

I think the filename is not relevant at all - this information is, after all, 
contained in the URL referencing that location. Myself, I use 
http://fortytwo.ch/gpg/92082481 (which is, of course, my keyid).

> as non-standard as that is, there seems to be even less consistency among
> people who reference their keys in their SMTP headers (like i've done).
> after the "X-", i don't know if i've seen any two people use the same
> format...

A standardization here would be desirable - IIRC there was discussion of a 
low-security auto-encryption protocol a while back that would work like this:

A sends mail to B, with X-PGP-Key: <URL> header.
Mailer of B sees this header, automatically fetches the PK, and asks the user 
to verify the key (a good GUI is very important here. A short explanation why 
it is important to verify the fingerprint etc.). This GUI would presumably 
locally sign the key (optionally a public signature - to be used by those  
who know what this really means).

In this way, people (semi-)transparently can use PGP encrypted email, without 
ever bothering about the technical details, and without having to configure a 
keyserver explicitely.

The 'encryption set up wizard' of the mailer would automatically generate a 
key, print out a revocation cert, explain about how important that is, 
publish the key to a keyserver, and use a keyserver URL by default. Experts 
can change the URL to their own canonical location of their key.

So, between any two people using this mailer, only the first mail in each 
direction would be unencrypted. (In a similar vein, the application should 
track MSO(E) users in the address book and automatically don't send inline 
signed mails instead of PGP/MIME for those).

Now who's going to implement this...

> i know, there's no "right way" or "wrong way" to present this information
> to the world, and any variation on this theme (within reason) should work
> fine, but i'm sure there are some good reasons out there for doing or not
> doing things in a particular way. lacking a standard, i'd at least like to
> hear some of those good reasons people have....

Lacking any implementations of the above scheme, it doesn't really matter how 
you do it.  IMHO it is important to have the key on the keyservers as far as 
this is possible, because many people don't bother to look through 
mailheaders or (or .sig's) to retrieve keys.

cheers
-- vbi

-- 
We Klingons believe as you do -- the sick should die.  Only the strong
should live.
		-- Kras, "Friday's Child", stardate 3497.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 335 bytes
Desc: signature
Url : /pipermail/attachments/20031204/41806178/attachment.bin


More information about the Gnupg-users mailing list