some beginner questions

Will Senn wsenn1 at
Sun Apr 2 02:50:23 CEST 2017


On 4/1/17 3:08 PM, Robert J. Hansen wrote:
>> Do I just move on and try not to do that in the future, or is there any
>> hope for cleaning up?
> Move on.  It's okay, everybody makes this mistake in the beginning.  :)
I thought this might be the case. On the one hand, bummer, on the other, ok.

>> 2. In everyday use, what is the norm for folks to publish their keys to
>> get other folks to use them? Do y'all put the fingerprint in your
>> emails, attach your signatures (I see some of you on this list do), put
>> the key on your social media, or what?
> (My opinion on this used to be 100% orthodox; in the last few years I've
> seen it become heterodox.  The cool kids are all about TOFU today; I
> think TOFU borders on crazy.  So be warned, this opinion is ... stodgy,
> by present standards.)
> If I'm corresponding with someone, I ask if they use OpenPGP; if they
> do, I arrange for an out-of-band key verification.  I also have my
> fingerprint on my business card, so that if I meet someone face-to-face
> it makes it easy as can be to do a key verification: here's my driver's
> license, here's my business card, you get to verify I'm really Rob
> Hansen and you have my fingerprint given to you directly by me.
Sounds reasonable. I'll look into TOFU, but I think I'll lean towards a
more conservative approach to start.

>> 3. I've read
>> and other such pieces proclaiming the value of having the master key in
>> a safe place and having subkeys on your actual devices. I've following
>> the guides and it seems that I am unable to actually sign anything with
>> the subkey, gpg complains with gpg: signing failed: No secret key. gpg
>> -K shows:
> Please read the FAQ.  Question 8.1 is directly applicable.
> The internet is full of people who will tell you "the true secret" to
> "creating the perfect key".  The reality is, unless you know exactly
> what changes you're making and why you need to make them, you will be
> far better served with the defaults.
If I don't get this master/sub key thing figured out successfully soon,
I'll probably go back to defaults.
>> 4. Is it safe to refer to my public key/fingerprint information as I did
>> in the previous question with output from gpg?
> Yes.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170401/5d4a0c3d/attachment.sig>

More information about the Gnupg-users mailing list