OK, since this is getting to be kind of a whole "thing", I've split it off.
This message is (or should be) signed. Hopefully using PGP/MIME, which, if I understand Neil correctly, is what I'm supposed to do. You all have undoubtedly realized by now that I have little experience and less understanding of GPG keys and their proper use; I only have one because last year (which is why the key is from 2004), I was corresponding with someone who preferred encrypted email. Now that I've got my reinstall relatively stable-- at the time of the key's creation, I was using Gentoo, which I broke, and in the meantime, I'd switched to SuSE, where I didn't use my backed-up keyrings at all, and back to Gentoo-- and got Enigmail working again, I figure it's time to learn at least how to use my keys properly. Even if I don't seem to have much use for them now, you never know when it might come in handy. I think I've pretty much got a handle on full encryption (not only did I exchange several encrypted mails last year, but today I sent myself a test mail, which I was able to decrypt), but the signing is kinda wiping the floor with me, apparently. OK, so Neil said: Neil Bothwick schreef: > On Fri, 24 Jun 2005 17:26:43 +0200, Holly Bostick wrote: > >>But this whole episode has at least gotten me to finally upload my own >>key, so I've (hopefully) signed this message. > > > Yes, but as an inline signature, not as a MIME message part, which is > the preferred way of doing it. Right.... that means, I think, that the default setting in Enigmail's PGP/MIME settings-- "Allow PGP/MIME"-- should be set to "Always use PGP/MIME". Is that correct? The point being-- as I understand it-- that MIME parts have something to do with IMAP, which I don't use (yet), but many others do, especially those likely to be desiring signed or encrypted mail, so it's just better to use it by default? Fine, then let me know if this message, transmitted using the new setting, arrived with the signature correctly as a MIME message part. Meanwhilst, Rumen said: > Hi, > Lately stopped using keyservers very much, but now just tried to > search/check for your key, the result: > 1.running: "gpg --keyserver subkeys.pgp.net --search-key Holly" gets this <snip> > (10) Holly Bostick <[EMAIL PROTECTED]> > 1024 bit DSA key 94456400, created: 2004-07-05 <snip> > there are many more, reached till 123 and there's more ;) > 2.running: "gpg --keyserver subkeys.pgp.net --search-key Holly" gets this > ...BEGIN... > gpg: searching for "Holly" from hkp server random.sks.keyserver.penguin.de <snip me not winding up in the first 25 hits> > ...END... > Searching with '[EMAIL PROTECTED]' (on both) results the in same one > entry above. > This key is from 2004: > (1) Holly Bostick <[EMAIL PROTECTED]> > 1024 bit DSA key 94456400, created: 2004-07-05 Which is my key, so it's out there somewhere. But I am wondering if it is in some way incomplete or improperly aliased-- or was "Holly" too general a search as opposed to "Bostick"? Yes, apparently so; replacing --search-key Holly with --search-key Bostick comes up with me first on both searches. Not so much that I'm hyped on being first, but at least it means I'm easily found if someone's looking. So that seems OK then, but I still have a few questions: 1) My key is set to never expire (afaik). Is that OK, or should I generate a new key... I dunno, every 3 months or something? That seems to negate the whole idea of having a key in the first place, but.... what do I know? 2) Do I need to create a digital certificate? Is it any good if it's self-signed? Or should I go to the archives and find that site that will generate one for me? 3) On the same note, I don't have a "Web of Trust"; my key is unsigned (naturally), and the keys I've collected from this list I have not dared to specify trust levels for. Should I be concerned about this, and take steps to rectify the situation with all due haste? If so, how would I go about that? All I've heard of are key-signing parties, which seem unlikely be a feasible option for me. 4) Clearly no one I am in contact with seems to really care if I sign my emails by default, but should I protect them from themselves and do so anyway? Are there any benefits to this good habit, especially since my key is unsigned anyway? 5) If I take up the habit of signing my emails, is it unreasonably dangerous to also set "No password for user" in the Enigmail options? I know that if I have to dig up my complex and unique password every time I send an email (in order to sign it), I'm not going to sign them, but if not requiring the complex and unique password opens a high possibility of compromising the key itself (because if I was hacked, said miscreant could send signed emails "from me" because s/he doesn't have to know the complex and unique password in order to do so), then I suppose I'd have to just suck it up (assuming that there's some overriding benefit in me taking up this habit in the first place). Anyway, I know it's OT, and sorry for hijacking the thread in the second place, but if there's anyone who'd like to explain this to me in relatively simpler terms than man gpg or the GNUPG site, I'd appreciate it. Holly
signature.asc
Description: OpenPGP digital signature
