Hi, Holly Bostick wrote: >OK, since this is getting to be kind of a whole "thing", I've split it off. > >This message is (or should be) signed. Hopefully using PGP/MIME, which, >if I understand Neil correctly, is what I'm supposed to do. > > > Yes, it's pgp/mime, by memory this is the newer format which allows you to also encrypt the body of the message and the attachments too. Somebody correct here if needed. Old format is pgp/inline
>You all have undoubtedly realized by now that I have little experience >and less understanding of GPG keys and their proper use; I only have one >because last year (which is why the key is from 2004), I was >corresponding with someone who preferred encrypted email. Now that I've >got my reinstall relatively stable-- at the time of the key's creation, >I was using Gentoo, which I broke, and in the meantime, I'd switched to >SuSE, where I didn't use my backed-up keyrings at all, and back to >Gentoo-- and got Enigmail working again, I figure it's time to learn at >least how to use my keys properly. Even if I don't seem to have much use >for them now, you never know when it might come in handy. > >I think I've pretty much got a handle on full encryption (not only did I >exchange several encrypted mails last year, but today I sent myself a >test mail, which I was able to decrypt), but the signing is kinda wiping >the floor with me, apparently. >...skip... > > >Right.... that means, I think, that the default setting in Enigmail's >PGP/MIME settings-- "Allow PGP/MIME"-- should be set to "Always use >PGP/MIME". Is that correct? The point being-- as I understand it-- that >MIME parts have something to do with IMAP, which I don't use (yet), but >many others do, especially those likely to be desiring signed or >encrypted mail, so it's just better to use it by default? Fine, then let >me know if this message, transmitted using the new setting, arrived with >the signature correctly as a MIME message part. > > > Have pgp/mime configured, but currently don't use it, use certs instead. Easier for me too. Somewhere in the options you configure the use of gpg/certs ...skip... >Which is my key, so it's out there somewhere. But I am wondering if it >is in some way incomplete or improperly aliased-- or was "Holly" too >general a search as opposed to "Bostick"? Yes, apparently so; replacing >--search-key Holly with --search-key Bostick comes up with me first on >both searches. Not so much that I'm hyped on being first, but at least >it means I'm easily found if someone's looking. > > > Sorry my fault here ;) >So that seems OK then, but I still have a few questions: > >1) My key is set to never expire (afaik). Is that OK, or should I >generate a new key... I dunno, every 3 months or something? That seems >to negate the whole idea of having a key in the first place, but.... >what do I know? > > > Could use it that way, only important thing to do IMHO is to generate a revocation certificate for the key. And if something/sometime happens you'll be able to revoke this key and generate a new one. After a key is revoked on checking it a message tells that the key is invalid/revoked (check here). >2) Do I need to create a digital certificate? Is it any good if it's >self-signed? Or should I go to the archives and find that site that will > generate one for me? > > > Some time ago had/used a self-signed cert. Only drawback is that you/other people can't verify it to be sure it really belongs to me. Because of this later generated a new one and send it to "www.cacert.org" which signed it to verify my email identity, etc. The trick here is that in order to check it you have to import their root cert (from the site), because in most browsers there are only root-certs of the commercial CA providers. CAcert.org is free to use. >3) On the same note, I don't have a "Web of Trust"; my key is unsigned >(naturally), and the keys I've collected from this list I have not dared >to specify trust levels for. Should I be concerned about this, and take >steps to rectify the situation with all due haste? If so, how would I go >about that? All I've heard of are key-signing parties, which seem >unlikely be a feasible option for me. > > > Think this is one of the main purposes of keyservers (to hold keys) ;) >4) Clearly no one I am in contact with seems to really care if I sign my >emails by default, but should I protect them from themselves and do so >anyway? Are there any benefits to this good habit, especially since my >key is unsigned anyway? > > > Using this proves your identity (email address from) >5) If I take up the habit of signing my emails, is it unreasonably >dangerous to also set "No password for user" in the Enigmail options? I >know that if I have to dig up my complex and unique password every time >I send an email (in order to sign it), I'm not going to sign them, but >if not requiring the complex and unique password opens a high >possibility of compromising the key itself (because if I was hacked, >said miscreant could send signed emails "from me" because s/he doesn't >have to know the complex and unique password in order to do so), then I >suppose I'd have to just suck it up (assuming that there's some >overriding benefit in me taking up this habit in the first place). > > > Use 'keychain' (gpg-agent) there's a gentoo doc to install/use it. Also works with ssh-agent. Shortly said first time you just type the key, later use this already stored key for signing. The time short/long for which it's active could be set Then you auto-sign your mails w/o having to type the password again. Activate 'use gpg-agent' in TB options. >Anyway, I know it's OT, and sorry for hijacking the thread in the second >place, but if there's anyone who'd like to explain this to me in >relatively simpler terms than man gpg or the GNUPG site, I'd appreciate it. > >Holly > > PS: with a cert i have to input a password once and sign mail till exit TB (requires a setting). But have working ssh-agent&gpg-agent. HTH. Rumen
smime.p7s
Description: S/MIME Cryptographic Signature
