? Comments re key servers? re gpg-encrypted mail? re key servers carry many phony keys?

Miroslav Rovis miro.rovis at croatiafidelis.hr
Fri Dec 30 01:35:15 CET 2016


On 161228-15:42+0100, NdK wrote:
> Il 28/12/2016 13:28, Miroslav Rovis ha scritto:
> 
> >> The fact that Github, since this outgoing year, accept gpg signing only
> >> if you post your public key to their servers.
> I can't say for sure, but maybe that's so so they can have an
> "attestation key" to use for verifying signatures, without expensive WoT
> checks.
Why would that be expensive? Expensive is the tracking that they let the
Schmoog (y'know Schmoog the Schmoogle) do on their users... Have a look
at (sorry for the title, just moved to Pale Moon):
In Defence of Firefox: some Harvesting by Referal Decrypted
https://forums.gentoo.org/viewtopic-t-1038896.html
(where not all I could post, as my password I would revealed)
Expensive (time, resources on them and on users) is the tracking...
> 
> BTW nothing prevents you from uploading your key to the keyservers and
> participate in the WoT -- that's the only thing that could assure who
> clones your repo that *you* signed those commits.
My keys have been since long on keyservers, but too little, and
insignificant programming, I do, to have it had signed by others, yet.
> 
> > Just some quick links in connection, for the less familiar.
> > For users (like me):
> > https://help.github.com/categories/gpg/
> Some reccomendations could be quite questionable (always use RSA 4096,
> do not set an expiry on main key, no mention of generating a revocation
> certificate...).
Of course, have been using RSA since a few years back, and other things,
only late to update to gnupg-2, haven't had time... Missing the
funcionalities, now that I really understand ever better about it, and
understood that I can trust Werner Koch, Neit Walfield
(
why aren't they teaching people this:
An Advanced Intro to GnuPG
https://begriffs.com/posts/2016-11-05-advanced-intro-gnupg.html

Exampli gratia, I can't read it all now (need to give it a re-read, but
is there a suggestion in my home distro, so to call it, since 8 yrs +
with it, that you get poor security if you just keep yout secret key in
~/.gnupg/ ? Is there, if any Gentooer is reading this? ...
)
, and the team and what they do.

And also Alexandre Olive replied (pasting his mail in here manually):
> Until this year there was no way to verify the signature of commits
> and releases through the GitHub website, so they created a "kind of"
> keyserver in their own server to manage users public keys.
No, there was no way to do so in GUI, but that's not such great
advantage to have it, and you have to paste your public key, as if they
couldn't get it from good keyservers, that certainly don't track people
so much, such as:
https://sks-keyservers.net/i/
and
https://pgp.mit.edu/

Before, when your git repo, or somebody else's had a tag signed, you get
the public key anywhere, and you clone the repo, and you can verify it,
you didn't need a GUI...

Have to go back to other work, regards!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: </pipermail/attachments/20161230/ac47514a/attachment.sig>


More information about the Gnupg-users mailing list