Best practice to make one's key known, was Re: German ct magazine postulates death of pgp encryption

Doug Barton dougb at dougbarton.email
Sat Feb 28 21:36:44 CET 2015


On 2/27/15 10:10 PM, Marco Zehe wrote:
> Hi Werner et al,
>
>> Am 27.02.2015 um 20:56 schrieb Werner Koch <wk at gnupg.org>:
>>
>> There is no trust in keyservers by design.  As soon as you start
>> changing this you are turning PGP into a centralized system.
>
> OK, then I have a very practical question: Even though this is my
> fourth or fifth attempt at establishing OpenPGP in my daily routine
> since the mid 1990s, I am still confused by what the best way is to
> make my public key known. So if, as you say, key servers are not
> trusted by design, if I want to spread word around my available
> public key, which source should I put in a signature? While reading
> this list, I have seen quite a number of different approaches. Some
> put their key ID along with the finger print and the URL of a key
> server. Others put a link to the key file on a web server, others
> just quote their key ID and finger print, or only either of those.
>
> I have my key uploaded (and kept current) on key servers as well as
> on my web site(s), and my Impressum links to the copy on my web
> site rather than the key server URL.
>
> So: What’s the best practice advice? (and yes, I looked in the FAQ,
> but that didn’t prove conclusive to me.)

It's overwhelmingly likely that you are overthinking this. :)

If someone wants to correspond with you using PGP, they will ask. If
you sign a message, they will know that you are using PGP, and what
your key Id is. And you've posted it enough places that even a
moderately motivated person will be able to find it.

Relax, and enjoy the ride.

Doug




More information about the Gnupg-users mailing list