Questions about OpenPGP best practices

Doug Barton dougb at dougbarton.us
Tue Feb 26 07:43:33 CET 2013 

On 02/25/2013 02:54 PM, Peter Loshin wrote:
> Many thanks to Daniel Kahn Gillmor for pointing to the best practices
> page (https://we.riseup.net/riseuplabs+paow/openpgp-best-practices);
> this information is very helpful.
>
> Some questions about the information on this page:
>
> 1. "Don't use pgp.mit.edu". Which keyserver *should* be used? I assume
> that a pool is better than a particular server; is there one
> particular pool that is preferred? What about
> http://pool.sks-keyservers.net/?

Yes, that's a good one, and generally preferred.

> 2. On keeping an encrypted backup of my secret key material, what
> method is recommended for doing that? (Presumably something like "gpg
> --export-secret-keys | gpg --output secretkeymatter.gpg --symmetric"?)

If you're using a pass phrase, your key is already encrypted. Just save 
it somewhere safe.

> 3. On using a keyserver with HKPS support: when I attempt to connect
> (via Chrome) to https://sks-keyservers.net/, I get an error headlined
> "The site's security certificate is not trusted!", stating " the
> server presented a certificate issued by an entity that is not trusted
> by your computer's operating system."

Yeah, they are using a self-signed certificate. A very dodgy decision in 
an era where there are a non-zero number of widely accepted CAs that 
will give out free certificates.

> 4. When I try to use hkps://sks-keyservers.net

The Best Practices page you posted above actually suggests:

   keyserver hkps://hkps.pool.sks-keyservers.net
   keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem

That worked for me, although I was a bit disappointed that placing the 
cert at /etc/ssl/certs/ca.hkps.pool.sks-keyservers.net.cert didn't work 
like all the docs said it should.

Does anyone know where/how to place the cert file on the system so that 
it can be called by demand, rather than having to specify it in the 
gpg.conf?

> with GnuPG at the
> command line, I get these messages:
>
> gpgkeys: HTTP post error 1: unsupported protocol
> gpg: keyserver internal error
> gpg: keyserver send failed: Keyserver error
>
> And when I try the same with the domain name only (sks-keyservers.net)
> I get these messages:
>
> : can't connect to `sks-keyservers.net': No route to host
> gpgkeys: HTTP post error 7: couldn't connect: No route to host
> gpg: keyserver internal error
> gpg: keyserver send failed: Keyserver error
>
> My question would be, am I doing something wrong or is the service unavailable?

You're doing something wrong. :)  Follow the doc more closely.

Doug

More information about the Gnupg-users mailing list