encrypted public keys Was: Re: Bug in getkey.c:2219:merge_selfsigs
Matt
yaverot at nerdshack.com
Fri Nov 10 21:33:32 CET 2006
Werner Koch wrote:
> On Fri, 27 Oct 2006 15:55, Christoph Probst said:
>> I was working on a large number of files (about 300) which I exported from my
>> email client (the result of a key signing party some weeks ago):
>
> BTW, sending public keys encrypted or signed is a bad habit. There is
> in general no reason to do so.
Good habits are easy to break, and bad habits easy to pickup, but I'm
curious why encrypting signed keys back to their owner is a bad habit.
It verifies the other half of the ID on the key (the email address), it
verifies that that person (still) has the secret key and passphrase.
"Manoj's Key-Signing Protocol" takes this to an extreme, in requiring
multiple "secrets" passed back-and-forth before actually signing the key.
There was an interesting article on linuxsecurity.com by "Atom Smasher"
called "pgp Key Signing Observations Overlooked Social and Technical
Considerations", the only flaw I see is the implicit "you own your
public key". At attrition.org there is "Social Implications of
Keysigning" and it talks about social network mapping, and a virtual
smear campaign.
> They end up at a public keyserver anyway.
Only if the owner puts his/her key on a keyserver, or someone
disrespects his right to not have his key there. I can think of a few
reasons why someone wouldn't want their key on a keyserver, but most of
those reasons would also preclude going to a keysigning party (with that
key).
Personally, while I don't like the aspects of social mapping, once I
have some sigs on my public key, I want it spread far and wide. If those
sigs did not result from my face-to-face meeting with the other person,
then having them on my key doesn't actually improve the web of trust,
and seams reasonable not to have those sigs spread far and wide if I can
help it. If people return their sigs to me, and not to keyservers, then
I decide which ones appear "in the wild".
I am moving into actually using GnuPG, instead of just having 'academic
knowledge' of PGP, so if I've picked up 'wrong' preconceptions I want to
know before I start spreading them to other people.
More information about the Gnupg-users
mailing list