some beginner questions
Robert J. Hansen
rjh at sixdemonbag.org
Sat Apr 1 22:08:13 CEST 2017
> Do I just move on and try not to do that in the future, or is there any
> hope for cleaning up?
Move on. It's okay, everybody makes this mistake in the beginning. :)
> 2. In everyday use, what is the norm for folks to publish their keys to
> get other folks to use them? Do y'all put the fingerprint in your
> emails, attach your signatures (I see some of you on this list do), put
> the key on your social media, or what?
(My opinion on this used to be 100% orthodox; in the last few years I've
seen it become heterodox. The cool kids are all about TOFU today; I
think TOFU borders on crazy. So be warned, this opinion is ... stodgy,
by present standards.)
If I'm corresponding with someone, I ask if they use OpenPGP; if they
do, I arrange for an out-of-band key verification. I also have my
fingerprint on my business card, so that if I meet someone face-to-face
it makes it easy as can be to do a key verification: here's my driver's
license, here's my business card, you get to verify I'm really Rob
Hansen and you have my fingerprint given to you directly by me.
> 3. I've read
> and other such pieces proclaiming the value of having the master key in
> a safe place and having subkeys on your actual devices. I've following
> the guides and it seems that I am unable to actually sign anything with
> the subkey, gpg complains with gpg: signing failed: No secret key. gpg
> -K shows:
Please read the FAQ. Question 8.1 is directly applicable.
The internet is full of people who will tell you "the true secret" to
"creating the perfect key". The reality is, unless you know exactly
what changes you're making and why you need to make them, you will be
far better served with the defaults.
> 4. Is it safe to refer to my public key/fingerprint information as I did
> in the previous question with output from gpg?
More information about the Gnupg-users