? Comments re key servers? re gpg-encrypted mail? re key servers carry many phony keys?

NdK ndk.clanbo at gmail.com
Wed Dec 28 15:42:00 CET 2016

Il 28/12/2016 13:28, Miroslav Rovis ha scritto:

>> The fact that Github, since this outgoing year, accept gpg signing only
>> if you post your public key to their servers.
I can't say for sure, but maybe that's so so they can have an
"attestation key" to use for verifying signatures, without expensive WoT
checks. By loading your key, you're certifying it's yours. But it won't
actually give any more assurance than "you is you" than your credentials
(against GitHub): if someone steals your credentials, he can replace
your pub key and sign new commits in your name. They're using GPG just
as a frontend for signatures using self-signed certificates.

BTW nothing prevents you from uploading your key to the keyservers and
participate in the WoT -- that's the only thing that could assure who
clones your repo that *you* signed those commits.
Sometimes just "key persistence" is important (i.o.w. that the key that
signed all the commits has always been the same, and in this case GitHub
loaded key can be enough), other times it could be important to link the
key used for signing a commit to (the reputation of) a real person, and
in this case the WoT is needed.

> Just some quick links in connection, for the less familiar.
> For users (like me):
> https://help.github.com/categories/gpg/
Some reccomendations could be quite questionable (always use RSA 4096,
do not set an expiry on main key, no mention of generating a revocation


More information about the Gnupg-users mailing list