On 1/20/2012 3:15 PM, Chris Poole wrote:
> Since it's now recommended (to my knowledge) to use 2048-bit keys and
> above, how does having a 1024-bit keypair affect me?
It depends entirely on what you're doing with it. Breaking a 1024-bit
key is within the realm of possibility for a ridiculously w
On Sat, Jan 21, 2012 at 10:50:11PM +0100, Gregor Zattler wrote:
> IMHO by signing a key you make a statement about the connection
> between a person or owner and the user id you sign, saying "I
> somehow convinced myself that user owns this key". This only
> makes sense if you have some insight in
On Sat, Jan 21, 2012 at 02:47:25PM -0500, Thomas Harning Jr. wrote:
> That process seems pretty reasonable, assuming the CA is reputable. Even
> better if you keep track of the SSL cert to keep track of breaches and the
> like.
The idea is only to casually trust that a key belongs to a person. If
On Sat, 14 Jan 2012 18:39:16 +, gn...@lists.grepular.com wrote:
> Is there a simple howto for getting ssh authentication working with
> GnuPG v2? I've used gpgkey2ssh to get the public key and added it to
> authorized_keys, but I don't know what I'm supposed to do on the ssh
> client end? gpg-a
On Jan 21, 2012, at 10:12 AM, Aaron Toponce wrote:
> What are your thoughts on using root CAs as a trusted 3rd party for
> trusting that a key is owned by whom it claims? Of course, this is merely
> for casual checking, but it seems to be "good enough".
As far as I can see the only checking CAs d
Am Samstag, 21. Januar 2012, 19:12:15 schrieb Aaron Toponce:
> I just signed an OpenPGP key with cert level 0x12 (casual checking) given
> the following scenario:
>
> * A PGP key was signed by an SSL certificate that was signed by a root
> CA
> * I verified that the signature was ind
Hi Aaron, gnupg users,
* Aaron Toponce [21. Jan. 2012]:
> I just signed an OpenPGP key with cert level 0x12 (casual checking) given
> the following scenario:
>
> * A PGP key was signed by an SSL certificate that was signed by a root
> CA
> * I verified that the signature was indeed
On 1/21/2012 8:58 AM, MFPA wrote:
> Those 11 people have denied you the opportunity to see exactly what
> they are adding to your key before publishing it. (That may generally
> be seen as trivial, but it matters to me.)
It's less than trivial: it's a complete nonissue.
If they want to mess with
On Jan 21, 2012 1:13 PM, "Aaron Toponce" wrote:
>
> I just signed an OpenPGP key with cert level 0x12 (casual checking) given
> the following scenario:
>
>* A PGP key was signed by an SSL certificate that was signed by a root
> CA
>* I verified that the signature was indeed from that
I just signed an OpenPGP key with cert level 0x12 (casual checking) given
the following scenario:
* A PGP key was signed by an SSL certificate that was signed by a root
CA
* I verified that the signature was indeed from that root CA.
* I striped the signature, and imported the PG
Am Freitag, 20. Januar 2012, 21:15:29 schrieb Chris Poole:
> The encryption and signing is still being done by the subkeys, so is
> it simply that they're signed by the parent 1024-bit key, and this key
> is easier to fake?
Yes. If the main key is compromised then
a) certifications for other key
On 2012-01-21 14:58, MFPA wrote:
> More importantly, they are signing UIDs that may well contain email
> addresses, without actually verifying that you "control" those email
> addresses.
Rather, that you "can read an email which they sent that was addressed
to that" email address.
But I do agree
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Thursday 19 January 2012 at 1:38:37 AM, in
, Phil Benchoff wrote:
> I think a lot about what signature classes are
> appropriate for what situations and similar pedantry,
> but the current state of practice needs help at a more
> fundamenta
13 matches
Mail list logo
