Question about notations and domains

Khelben Blackstaff eye.of.the.8eholder at gmail.com
Fri Aug 9 08:09:38 CEST 2013


On Fri, 09 Aug 2013 03:37:47 +0000
Henry Hertz Hobbit <hhhobbit at securemecca.net> wrote:

First, thank you for replying.

> Short answer:  Your github URL converted into an email
> address is NOT a good solution.  Read on if you want to
> know why.
> 
> The first reason one of your UIDs needs an email address only
> you use is to make the keys (assuming a primary signing key
> and an enciphering sub key but there are many other options)
> "yours".  It is also helpful to have a comment for that
> UID with an email address to help persuade others to sign your
> keys for the WOT. It also makes it even harder for somebody

Perhaps i did not phrase my question correctly, but i did not mean to
use the github url as e-mail address in the UID. As i put in the
subject, i meant it only for notations.

Let me describe it a bit better. When you own a real domain that hosts
your web page, you can put your public key, a text file describing your
signing policy and you can even also put files describing the exact
procedure of that cerfitication (for example saying "I met Khelben
Blackstaff on a cafe, he shown me his id and passport, ......").

You can then set gnupg to automatically embed this info to the
signatures. For example:

default-keyserver-url http://your.domain.tld/gpg/pubkey.asc
sig-notation issuer-fpr at your.domain.tld=%g
cert-notation signotes at your.domain.tld=http://your.domain.tld/gpg/%K.asc
set-policy-url http://your.domain.tld/gpg/policy-current.txt

The domain is yours so it is perfectly fine to use it on the notations.

> It is much easier and less expensive to own your own domain
> and a POP email account than you would expect.  The domain and
> POP email account I am using here is less than $30 per year
> at 1and1.com.  GoDaddy and others can also set you up.  Your
> first and last name run together "khelbenblackstaff" is
> available in the BIZ, COM, INFO, NET, and ORG TLDs.  If you are
> in the US, "khelbenblackstaff.us" is also available.  So

Yes it is very easy and cheap to acquire a domain but not everyone has
one and i do not think he will get one just to use with gpg. I
hardly persuade my friends to use gpg in the first place.

That is why i wanted to mention that he can do the same thing with
github. He can put his policy and key notes on his github "web page"
and then use that "domain" as a notation. The notation that would be
embedded in the signature would be issuer-fpr at username.github.io

I never meant to use the github url in the UID. I hope my explanation
is better now and not more confusing.

Thank you again.



More information about the Gnupg-users mailing list