Including public key
Grant Olson
kgo at grant-olson.net
Thu Jul 28 08:29:05 CEST 2011
On 7/27/2011 10:25 PM, Len Cooley wrote:
> Well, let me ask you this. Is it useful/useless/ridiculous/orwhat to
> attach your public key as a sig at the end of an email, such as below?
>
Unless you're trying to keep your key 'off the grid' I'd just send the
key to the keyservers. Then people who use OpenPGP will retrieve the
key based on your email's signature. People who don't care will just
ignore your sig, which will be smaller than your full public key.
If you are trying to keep the key 'off the grid' then you don't want to
include it as a generic signature either.
In general, it's best to get the key from a different source than your
signed email. If your signature and key are in the same email, an
attacker could have forged both. They could in other circumstances as
well, but it's less likely for someone to forge both a public key on the
keyservers (or your personal website, or your business card, etc), and a
signature on a forged email. They need to compromise two lines of defense.
--
Grant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 552 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110728/e227bd5a/attachment.pgp>
More information about the Gnupg-users
mailing list