Werner Koch wrote: > On Fri, 27 Oct 2006 15:55, Christoph Probst said: >> I was working on a large number of files (about 300) which I exported from >> my >> email client (the result of a key signing party some weeks ago): > > BTW, sending public keys encrypted or signed is a bad habit. There is > in general no reason to do so.
Good habits are easy to break, and bad habits easy to pickup, but I'm curious why encrypting signed keys back to their owner is a bad habit. It verifies the other half of the ID on the key (the email address), it verifies that that person (still) has the secret key and passphrase. "Manoj's Key-Signing Protocol" takes this to an extreme, in requiring multiple "secrets" passed back-and-forth before actually signing the key. There was an interesting article on linuxsecurity.com by "Atom Smasher" called "pgp Key Signing Observations Overlooked Social and Technical Considerations", the only flaw I see is the implicit "you own your public key". At attrition.org there is "Social Implications of Keysigning" and it talks about social network mapping, and a virtual smear campaign. > They end up at a public keyserver anyway. Only if the owner puts his/her key on a keyserver, or someone disrespects his right to not have his key there. I can think of a few reasons why someone wouldn't want their key on a keyserver, but most of those reasons would also preclude going to a keysigning party (with that key). Personally, while I don't like the aspects of social mapping, once I have some sigs on my public key, I want it spread far and wide. If those sigs did not result from my face-to-face meeting with the other person, then having them on my key doesn't actually improve the web of trust, and seams reasonable not to have those sigs spread far and wide if I can help it. If people return their sigs to me, and not to keyservers, then I decide which ones appear "in the wild". I am moving into actually using GnuPG, instead of just having 'academic knowledge' of PGP, so if I've picked up 'wrong' preconceptions I want to know before I start spreading them to other people. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
