Re: Delete key from keyserver
On Sat, Oct 22, 2005 at 10:14:58PM +0100, Neil Williams wrote: > > ? That key has NO signatures other than yourself! There's no way anyone can > trust it. There are NO paths. > It does, look at: http://pks.aaiedu.hr:11371/pks/lookup?op=vindex&search=0x16DA1F1690887E13 http://pks.aaiedu.hr:11371/pks/lookup?op=vindex&search=0x5081D08A1DC7E994 Both are signed by my master key which in turn is signed by a friend. My scheme is having one "master key" and then I get people to sign that master key, which I in turn use to sign my other ad-hoc keys. To avoid further confusion, the key is signed by zeljko.vrba at gmail.com > > Sorry to hear that but how hard have you tried? Have you travelled to > Now I'm going to hide.. in fact, not. I tried finding someone while writing the previous mail and.. well, I've succeeded. > > Keysigning is testifying to the world that you have verified the person, the > fingerprint and the email. > I'm aware of that. > > If you want a formalised external method of identity verification, consider > using x.509 and people like Thawte will provide an alternative to GnuPG's > personal (face-to-face) methods. > Actually, at one point in time I did think about getting myself a "real" X.509 certificate and use it as "my own CA" certificate by which I sign my other ad-hoce keys as I see fit. The thing I don't like about commercial X.509 certificates is their short lifetime. It's a pure ripoff and no-work money generator for the CA, after you get your 1st certificate. I have yet to play a bit with gpgsm and see how well can you mix PGP and X.509 keys. I.e. can I use my X.509 cert to sign other people OpenPGP keys? Can I at least re-use the X.509 private key for my own OpenPGP key? pgpi0KhNJeJV0.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Delete key from keyserver
On Sat, Oct 22, 2005 at 11:12:01PM +0200, markus reichelt wrote: > > http://bitfalle.org/keys/gpg-key-signing-policy.php > I don't feel like reading the GNU documentation license, so a short question: may I reuse and adapt this text to my own needs? [I'll give you a proper credit] > > imagine you would find two telephone numbers listed in a directory > under the very same name. how are you to decide which one of these > numbers is the correct one? the number of ppl also listing one number > in a commercial directory, e.g. "having conducted successfull > business with" is equal. again, what would you do? > heh, nice analogy. pgpSxG1hHe4eV.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GFDL (was: delete key from server)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 [EMAIL PROTECTED] wrote: > On Sat, Oct 22, 2005 at 11:12:01PM +0200, markus reichelt wrote: > >>http://bitfalle.org/keys/gpg-key-signing-policy.php >> > > I don't feel like reading the GNU documentation license, so a short > question: may I reuse and adapt this text to my own needs? [I'll give > you a proper credit] > > The GFDL says you can modify it so long as the work you produce is also under the GFDL, and gives attribution to the original authors. In practical terms online, it's best to link back to the original source when doing so. Basically you just need to say "this keysigning policy is derived from the keysigning policy of markus reichelt (link), and is licensed under the GNU Free Documentation License (link)". It might also be good to state (and link) the sources that his policy was derived from. Oh, one other thing: You need to make the source of the document (a "transparent copy" in legalese) available. Plain HTML is pretty OK for that. HTH, - -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email & vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ1tRWLMAAH8MeUlWAQhQjAf9GSvlGM5fgzrpHbfuKQNt2vGUcZPcC9Zi PCzRMM7EzT7qs+kOQMizftq2eNgHkH6Uwp8eNhl5Y77PWoW0abvNncaS1jeCDD1n h7qqsbWK+brgg+IVv/sOP8Emn38IbTY5bG9pvcMZumlR0UWWULTwkUcF/sCx3E+g zrgKAQYCQ0xDimHhiVVi4RQa1vlefmGBvRYHyD2cZrFxOw0OBpwcNKrXrgoB8i9G cmK0fqI2GdaBz0dFpOVr4z6wHQy5wITKpns9Bs/5QjCx3AfTVIheEn/R0qwXxAJ3 nWpm7y3Ka0axxgunZUxfjC4U9RDV0jCBy8usH1K/pmUqSe2xNyJTPA== =CZEf -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Delete key from keyserver
[EMAIL PROTECTED] wrote: >> If you want a formalised external method of identity verification, consider >> using x.509 and people like Thawte will provide an alternative to GnuPG's >> personal (face-to-face) methods. >> > Actually, at one point in time I did think about getting myself a "real" > X.509 certificate and use it as "my own CA" certificate by which I sign > my other ad-hoce keys as I see fit. The thing I don't like about commercial > X.509 certificates is their short lifetime. It's a pure ripoff and no-work > money generator for the CA, after you get your 1st certificate. You don't have to pay for X.509 certificates, not for personal use any way. Thawtes issue free personal certificates, and so do CAcert. http://www.cacert.org/ The latter publish their Root Authority PGP key on their website, which you can import to your keyring and use as a partial "bridge" across the two types of verification. For example, with their PGP key on my keyring, if I sign (locally, I cannot credit it with sufficient trust to sign with an exportable signature, since I cannot meet with them and fully verify it) their key it assigns a degree of trust to John W Moore III's key, since his key has been signed by their key already. One of my keys has been signed by Thawtes (they don't do this any more - I guess for commercial reasons) so there is a partial bridge there to another system. However, the only key on my keyring which is fully trusted is Neil's, since we have met up and correctly verified our keys. > I have yet to play a bit with gpgsm and see how well can you mix PGP and > X.509 keys. I.e. can I use my X.509 cert to sign other people OpenPGP keys? > Can I at least re-use the X.509 private key for my own OpenPGP key? I haven't used gpgsm, but I have fully functional X.509 key pairs on my key ring and can sign OpenPGP keys with them. If you have a running copy of PGP on your system you can import X.509 certificates to PGP and then export them as armoured ASCII files, which you can then import straight into OpenPGP. BTW, do you live anywhere near Pula? If so, and you can wait for another year till I make my annual visit to my friends there, we might be able to solve part of your problem with not being able to meet people to countersign any keys. The downside is, I haven't got many signatures on mine either, so it's no big deal :-( Regards, Bob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Delete key from keyserver
On Sunday 23 October 2005 8:15 am, [EMAIL PROTECTED] wrote: > On Sat, Oct 22, 2005 at 10:14:58PM +0100, Neil Williams wrote: > > ? That key has NO signatures other than yourself! There's no way anyone > > can trust it. There are NO paths. > > It does, look at: > http://pks.aaiedu.hr:11371/pks/lookup?op=vindex&search=0x16DA1F1690887E13 > http://pks.aaiedu.hr:11371/pks/lookup?op=vindex&search=0x5081D08A1DC7E994 That path is circular - it leads to your "master" key, to one signature and then back to you. It doesn't lead to any keys in the strong set. > Both are signed by my master key which in turn is signed by a friend. My > scheme is having one "master key" and then I get people to sign that > master key, which I in turn use to sign my other ad-hoc keys. There is still no way the web of trust can help your key become trusted without a signature that links you into the main key sets - preferably the strong set. Compare with some of the paths from my key (including the path (v.short path) from me to Bob Henson who also replied to your query). (Hi Bob!). :-) Bob wrote: > The downside is, I haven't got many signatures on mine either, so > it's no big deal :-( You have enough for your key to be in the strong set: http://www.cs.uu.nl/people/henkp/henkp/pgp/pathfinder/stats/31C737BD.html The most useful thing to do for anyone seeking signatures is to join biglumber.com - it's linked into the keyserver at kjsl.com (http://keyserver.kjsl.com:11371/) which makes it very useful for following paths and working out who could be available for keysigning if you are travelling. With a biglumber listing, Bob wouldn't have had to ask on the list, he could have simply looked up the details from the keyserver output. -- Neil Williams = http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ pgpuzpZNvlqJH.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Delete key from keyserver
Albert Reiner wrote: P.S.: A slightly less inflammatory tone would not have harmed either. The tone of "How come King's bum is bare!?" was, no doubt, considered inflammatory by the Court. cdr ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Delete key from keyserver
On Sat, Oct 22, 2005 at 06:26:51PM +0200, B. Kuestner wrote: > all: Joe Smith has no way of fixing the situation, even if he is > legitimate owner of the [EMAIL PROTECTED] e-mail address. > > It strikes me, that GNU-supporters would bash MS (or for that reason > any vendor of proprietary software) for dishing out once more a > thoughtless, immature and insecure software design. > > I understand it must not be simple to revoke or disable keys. But it > shouldn't be impossible either, especially in the light of anybody's > capability to put public keys under my name on the server. > > Am I missing something? > > >It's an inherent scaling problem of the keyserver net. I've > >seen estimates that the majority of the keys on the keyserver net are > >not used for one reason or another, but can't be deleted. Even with > >the garbage keys, the keyserver database isn't too large to be served > >though. > > Well, my issue is not so much with the keyservers. I guess with > faster and more hardware this scheme could be maintained for decades. > > But if the keyservers are not directories to look up public keys, > then what are they? And if they are meant as directories, how good > are they if they are flooded with garbage keys. > > >The PGP company is running a different sort of keyserver at > >http://keyserver.pgp.com. This type of keyserver allows you to remove > >keys if you can prove (by answering an email challenge) that you have > >access to the email address on the key. This keyserver obviously does > >not synchronize with the others, however. > > Can gpg use this keyserver? It is listed in the settings of my MacPG. GPG can use this keyserver. Just set: keyserver ldap://keyserver.pgp.com in your gpg.conf file (or whatever GUI you happen to be using). > Is using this server recommendable for everybody? This is a harder question. I would unhesitatingly recommend it for beginning users. It's also useful for any level user who wants to simplify the whole key selection process - it guarantees there is only one key per email address. If you want to mail to a particular address, there is no question which is the "right" key, as there is only the one key there. I believe it is also the default keyserver for PGP users. Some people do not like this server as it does email address verification (via sending a mail to the email address on the key, if any), and then signs the key. These signatures are reissued every 2 weeks or so if people keep requesting the key. The list of signatures can get long. Both PGP and GPG have features to delete the expired ones. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Delete key from keyserver
On Sunday 23 October 2005 5:49 am, Alphax wrote: > Neil Williams wrote: > > The only solution to that is to get more > > keysigning done. > > And to get more people using OpenPGP. Does anyone have a document called > (eg.) "Why you should use OpenPGP" or similar? I've read the GNU Privacy > Handbook and it's more of a HOWTO than a WHYTO. I've got a v.v.brief one: http://gnupg.neil.williamsleesmill.me.uk/#attachments It's just why I use gnupg rather than a treatise on why someone else should use it. It is GFDL. There's also general stuff here: http://www.dclug.org.uk/linux_adm/gnupg.html Elements of each could be combined - the FAQ isn't expressly GFDL but if it's used for GFDL material I would have no objection. If that work is sent back to me, I would also be v.happy to publish it as part of the first site, under the GFDL. :-) Don't worry about the HTML, a plain text version crafted from these and other sources would be fine - as long as it can go under the GFDL. > Do you have to be a Linux user to join a LUG? No, you just have to be interested in GNU type stuff - and in most LUG's GnuPG qualifies as relevant. > Several people who I've tried to get using OpenPGP just "don't get it" > because it's "too hard to integrate with (email client, usually > Mail.app)" and have gone for Thawte X.509 certificates instead. And then > they never use them. Bad choice of email client! :-) There are plenty of email clients that integrate gpg/pgp very easily. The resistance is not against gnupg itself but against the change of email client / problems with the existing client. -- Neil Williams = http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ pgpNTriNRAhk8.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Delete key from keyserver
David Shaw wrote: > On Sat, Oct 22, 2005 at 06:26:51PM +0200, B. Kuestner wrote: > >> all: Joe Smith has no way of fixing the situation, even if he is >> legitimate owner of the [EMAIL PROTECTED] e-mail address. >> >> It strikes me, that GNU-supporters would bash MS (or for that reason >> any vendor of proprietary software) for dishing out once more a >> thoughtless, immature and insecure software design. >> >> I understand it must not be simple to revoke or disable keys. But it >> shouldn't be impossible either, especially in the light of anybody's >> capability to put public keys under my name on the server. >> >> Am I missing something? >> >> >It's an inherent scaling problem of the keyserver net. I've >> >seen estimates that the majority of the keys on the keyserver net are >> >not used for one reason or another, but can't be deleted. Even with >> >the garbage keys, the keyserver database isn't too large to be served >> >though. >> >> Well, my issue is not so much with the keyservers. I guess with >> faster and more hardware this scheme could be maintained for decades. >> >> But if the keyservers are not directories to look up public keys, >> then what are they? And if they are meant as directories, how good >> are they if they are flooded with garbage keys. >> >> >The PGP company is running a different sort of keyserver at >> >http://keyserver.pgp.com. This type of keyserver allows you to remove >> >keys if you can prove (by answering an email challenge) that you have >> >access to the email address on the key. This keyserver obviously does >> >not synchronize with the others, however. >> >> Can gpg use this keyserver? It is listed in the settings of my MacPG. > > GPG can use this keyserver. Just set: > > keyserver ldap://keyserver.pgp.com > > in your gpg.conf file (or whatever GUI you happen to be using). > >> Is using this server recommendable for everybody? > > This is a harder question. I would unhesitatingly recommend it for > beginning users. It's also useful for any level user who wants to > simplify the whole key selection process - it guarantees there is only > one key per email address. If you want to mail to a particular > address, there is no question which is the "right" key, as there is > only the one key there. > > I believe it is also the default keyserver for PGP users. > > Some people do not like this server as it does email address > verification (via sending a mail to the email address on the key, if > any), and then signs the key. These signatures are reissued every 2 > weeks or so if people keep requesting the key. The list of signatures > can get long. Both PGP and GPG have features to delete the expired > ones. > > David That's not the only reason though. The PGP Global Keyserver is dangerous, as well as a nuisance, for a number of reasons. As it only shows one key on a search for a users name, it might cause people to miss a revoked key and continue using it. Similarly, because it doesn't synchronise with other servers, such a key could be missed. My key was on there because I tried PGP 9.x and it puts it there without asking - most undesirable in itself - but at least by ignoring the requests to repeat the e-mail verification it should have been removed by now. The "verification" is dangerous in itself, since people may rely on the server signature for trust - which is not a good idea for obvious reasons - anyone could upload a key from a particular address, and e-mail verification *alone* is of little value. If anyone *does* use it, whatever you do *don't* sign the PGP verification key, as it will impart an unwarranted trust to other keys signed with the same key. My advice (shared by many more knowledgeable than I) would be to steer clear of it at all costs. Regards, Bob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
The never-ending GD discussion, part 74 (was Re: Delete key from keyserver)
On Sun, Oct 23, 2005 at 05:16:43PM +0100, Bob Henson wrote: > > Some people do not like this server as it does email address > > verification (via sending a mail to the email address on the key, if > > any), and then signs the key. These signatures are reissued every 2 > > weeks or so if people keep requesting the key. The list of signatures > > can get long. Both PGP and GPG have features to delete the expired > > ones. > That's not the only reason though. The PGP Global Keyserver is dangerous, as > well as a nuisance, for a number of reasons. As it only shows one key on a > search for a users name, it might cause people to miss a revoked key and > continue using it. This is a misunderstanding about the Global Directory. It does not, is not designed to, and should not give more than one key for a given email address. The GD says "This is the key. Period. There is no other key. Take this key and use it. Have A Nice Day.". The goal of the GD is specifically NOT to say, "This is the key. Here are a few more keys. Well, here's another one that the person may or may not have lost the passphrase for. Oops, found another one. And this one too. Now figure out which one, if any, you should use!" It always amuses me that people complain bitterly about the GD storing one key per email address, but don't complain, for example, about people putting their key up on a web page. After all, they may contain only one key, and might cause people to miss a revoked key. ;) > The "verification" is dangerous in itself, since people may rely on > the server signature for trust - which is not a good idea for > obvious reasons - anyone could upload a key from a particular > address, and e-mail verification *alone* is of little value. Completely untrue. For the huge majority of users, email verification is sufficient. The GD is one-stop shopping for them: they get a single key that points to an email address that has been checked. Sure beats 3-4 keys on the keyserver and having to parse out the web of trust to see which one to use... only to find that more than one was in the web of trust, pick one anyway, and then hope the key owner didn't lose the passphrase or just stopped using encryption. Remember that the people who subscribe to this mailing list and have any knowledge of the web of trust are not in any way the huge majority of users. We're a miniscule blip on top of a near nothingness. You assert that e-mail verification alone is of little value. I disagree. I challenge you to make a key with my email address and get the GD to accept it. Let me know when you succeed. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The never-ending GD discussion, part 74 (was Re: Delete key from keyserver)
David Shaw wrote: > On Sun, Oct 23, 2005 at 05:16:43PM +0100, Bob Henson wrote: >>That's not the only reason though. The PGP Global Keyserver is dangerous, as >>well as a nuisance, for a number of reasons. As it only shows one key on a >>search for a users name, it might cause people to miss a revoked key and >>continue using it. > > > This is a misunderstanding about the Global Directory. It does not, > is not designed to, and should not give more than one key for a given > email address. He didn't say e-mail address, he said name. :) I just checked this for myself, and if I type in "Doug Barton" I get the key that is tied to this e-mail address, but not the other key that I have uploaded to that server. This actually explains a common complaint that I hear from PGP users about not being able to find that other key. So, this turns out to be very useful information, as I now know to tell them to search for my other key by e-mail address (which works, btw). I can see a lot of value in the model you described David, and I agree that at least having a key where the e-mail address has been verified, on a server where users actually have the ability to remove keys, is a good thing. On the other hand, I can see that every other "Doug Barton" in the world is at a significant disadvantage here, since I got there first. :) hth, Doug -- If you're never wrong, you're not trying hard enough ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The never-ending GD discussion,part 74
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Was Sun, 23 Oct 2005, at 13:27:05 -0400,
when David wrote:
> It always amuses me that people complain bitterly about the GD storing
> one key per email address, but don't complain, for example, about
> people putting their key up on a web page. After all, they may
> contain only one key, and might cause people to miss a revoked key. ;)
Well, obviously there is no a "perfect" "key carrier" around. (-;
If the key could be uploaded (it's as for the "key servers") in an
_authorized_ fashion (which is an elementary thing for a server dealing
with security/privacy), we wouldn't have to face all these problems and
annoyances around.
If someone wants a _public_ key serv{er|ice}, then such a service should
provide a decent standards first.
GD cannot store more than one key per e-mail address (which is a sort of
authorization) and this is in the same time a weakness and a good thing.
What if I use several keys with the same address (and the name of mine
of course) but with different "info" parts denoting the various purposes
of the keys?
As for the keeping a key on a web page, there is no chance that we could
miss a revoked key, if we are into reasons why someone is keeping them
this way: the very first thing will be that we'll go to this web page to
check for any updates, and not to the public key servers.
It turns out that this way is even the best one (so far; and in the
"category" of the worldwide scattering of the keys): you can't upload
any key without authorization, and you can upload as much of them as you
want/need.
No reason to complain. As to the other key serv{er|ant}s.
Aside from this, though, you can't know who has your key(s).
Different categories of keys I suppose have different methods of
de|livery.
- --
Mica
PGP keys nestled at: http://blueness.port5.com/pgpkeys/
~~~ For personal mail please use my address as it is *exactly* given
in my "From|Reply To" field(s). ~~~
Never eat more than you can lift. (Miss Piggy)
-BEGIN PGP SIGNATURE-
iQEVAwUBQ1voxbSpHvHEUtv8AQOdRgf9EN8AaVe0n1DGPIuRZiki/0O6AGA7lsiU
RAiPqJb9DDteDAXF+Sf9OSJTKEn5iF56eipQAACuHm+L2jwWznirnXWNNhSTptz/
a7+q037hw/sk5tvn6O+tquecM/VSIHvntnaux9TUaEpwk1bfedir3IlWvIK4JB55
DmfHD13NbrQfhd4Q2nXKU7Rt72iE+bKnv18ncrG4i4c8Ou//PzBR7+dOJqTXt16C
sAFJsyoPUumgsYx8gcfUTAI20UwvRDV2eOz6Wt/9mt9RwPZneVHcY9ryfqr1OrKh
QsirZfBEZBSA8DsS7XYyhOEpNqFnH4eoArJ/euozTAFRgK5SsRstmQ==
=IRyM
-END PGP SIGNATURE-
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The never-ending GD discussion, part 74 (was Re: Delete key from keyserver)
On Sun, Oct 23, 2005 at 12:41:45PM -0700, Doug Barton wrote: > David Shaw wrote: > > On Sun, Oct 23, 2005 at 05:16:43PM +0100, Bob Henson wrote: > > >>That's not the only reason though. The PGP Global Keyserver is dangerous, as > >>well as a nuisance, for a number of reasons. As it only shows one key on a > >>search for a users name, it might cause people to miss a revoked key and > >>continue using it. > > > > > > This is a misunderstanding about the Global Directory. It does not, > > is not designed to, and should not give more than one key for a given > > email address. > > He didn't say e-mail address, he said name. :) I just checked this > for myself, and if I type in "Doug Barton" I get the key that is > tied to this e-mail address, but not the other key that I have > uploaded to that server. This actually explains a common complaint > that I hear from PGP users about not being able to find that other > key. So, this turns out to be very useful information, as I now know > to tell them to search for my other key by e-mail address (which > works, btw). You always need to search the GD by email address. Name searches don't make sense there, as the GD only verifies the email address. The name on the key is essentially a comment, with no more meaning than any other comment. It's a consequence of the design to handle automated encryption - in that case, an email address may be all you have to work with. In any event, name or email address, the concern with missing a revoked key is sort of a non sequitur as the GD doesn't store revoked keys in the first place. > I can see a lot of value in the model you described David, and I agree that > at least having a key where the e-mail address has been verified, on a > server where users actually have the ability to remove keys, is a good > thing. On the other hand, I can see that every other "Doug Barton" in the > world is at a significant disadvantage here, since I got there first. :) Not necessarily. If another Doug Barton comes along, he could just as easily bump you out. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Delete key from keyserver
Am I missing something? The web of trust. (And the documentation, apparently.) Okay. I got that by now. I think the problem was that MacGPG makes it really easy to get started with GPG: There's a plug-in that integrates nicely with Apple's Mail. And the Keychain Assistant let's you do all the key creation and uploading things easily. That's great. That's a start to get people actually using GPG. But then unlike the command line tools the software does not recommend to make a backup copy of your private key. It does not recommend to make a hard copy of your key. It does not recommend to create a revocation certificate. It also does not explain that downloading a public server means that this key can be trusted. That of course is a not so good start to get people actually using GPG. In my case, there was also a bug: When I tried to delete a key I didn't want, up came a cryptic error message. So after a while since I had just been playing around after all, I thought I just delete my keychain and start from scratch. Did that twice actually for the same reason. And that's how I lost those private keys. Anyway, regarding MacGPG, it's a great software even at 0.3.x. I can only commend the creators for the effort they have put into it so far. Now to prevent that others get bitten like I was I will suggest to the authors that they will build recommended practices into the software. So after creating a key it could prompt the user to export a copy, print a hard copy and create a revocation certificate. The deletion error could be fixed, and before deleting a key, the software could warn of the implications and advice to create a backup copy first somewhere else. Before uploading to a server it could explain the implications of that. And before downloading a key it could again explain some more of the meaning. P.S.: A slightly less inflammatory tone would not have harmed either. You're absolutely right. It wasn't meant to be inflammatory, nor was I in an angry mood or something. I was trying to be straight-forward with my reasoning. But after rereading my post when it came back I bit my lip and felt offended by my own words. Ouch! So, please, if somebody took offense at my post, it really was not meant like that. My apologies. Björn ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Delete key from keyserver
Am I missing something? The web of trust. (And the documentation, apparently.) Okay. I got that by now. I think the problem was that MacGPG makes it really easy to get started with GPG: There's a plug-in that integrates nicely with Apple's Mail. And the Keychain Assistant let's you do all the key creation and uploading things easily. That's great. That's a start to get people actually using GPG. But then unlike the command line tools the software does not recommend to make a backup copy of your private key. It does not recommend to make a hard copy of your key. It does not recommend to create a revocation certificate. It also does not explain that downloading a public server means that this key can be trusted. That of course is a not so good start to get people actually using GPG. In my case, there was also a bug: When I tried to delete a key I didn't want, up came a cryptic error message. So after a while since I had just been playing around after all, I thought I just delete my keychain and start from scratch. Did that twice actually for the same reason. And that's how I lost those private keys. Anyway, regarding MacGPG, it's a great software even at 0.3.x. I can only commend the creators for the effort they have put into it so far. Now to prevent that others get bitten like I was I will suggest to the authors that they will build recommended practices into the software. So after creating a key it could prompt the user to export a copy, print a hard copy and create a revocation certificate. The deletion error could be fixed, and before deleting a key, the software could warn of the implications and advice to create a backup copy first somewhere else. Before uploading to a server it could explain the implications of that. And before downloading a key it could again explain some more of the meaning. P.S.: A slightly less inflammatory tone would not have harmed either. You're absolutely right. It wasn't meant to be inflammatory, nor was I in an angry mood or something. I was trying to be straight-forward with my reasoning. But after rereading my post when it came back I bit my lip and felt offended by my own words. Ouch! So, please, if somebody took offense at my post, it really was not meant like that. My apologies. Björn ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Delete key from keyserver
I suggest that you seriously check our Big Lumber at www.biglumber.com Thanks John. I will. Regarding my personal web of trust: I get a clearer picture now and for starter I'll exchange keys directly with my friends. As for the "unwanted keys" for my e-mail address. At least for now I know that I was the one who put them there. So if somebody uses them to encrypt messages (because he or she thinks like I did that any public key with the right e-mail address assigned to it is good enough), it's not like someone unauthorized would be able to read these messages. Nobody can read them. That's only semi-bad, not really bad, if you know what I mean. (c: Coming as a newbie to all of this, I'd say there's a long way to go until this whole thing is ready for my Mom to use it. And I think that's what we eventually want to do, right? That encrypted messaging becomes the norm, not the exception. Björn ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
