Re: i think my gpg is setup correctly.. ["[jacob]" <jacob@xxxxxxxxxxxxxxx>, Tue, Oct 21, 2003 at 12:40:09AM -0500, <20031021054009.GH14755@xxxxxxxxxxxxxxx>] > i think that i have my gpg setup correctly, and i got the lines for my > .muttrc from : http://codesorcery.net/mutt/mutt-gnupg-howto. i guess i just > want to know if it looks correct :) It does. > actually, i did have a few questions. i > have seen people including links to there pubkey in headers (which i am > attempting to do) and i have also seen people just post their key num (i > think that is what it is) or fingerprint in their sig (like i did below). > why is this exactly? is it possibly because they could have multiple keys > out there and they want you to know which to valide against? i also exported There are two reasons for doing so: First, to enable other people to get your key. In practice, the keyid (plus a key server) should be enough for that, but there are keyids with several keys (try 0xDEADBEEF ;-). You could use the long, 8-byte keyid in that case. As gpg can automatically download keys from keyservers, this doesn't make that much sense, and an URL where you keep an ASCII file with your key is probably better. Second, people could try to "sign" the message by including the fingerprint (which is -in contrast to the keyid- believed to be secure). But that's nonsense, as the message is already gpg-signed, and just including your fingerprint won't convince me at all that the key actually belongs to the person you are claiming to be. In conclusion, remove the gpg stuff from your sig, and include a X-PGP-something header pointing to your homepage or a keyserver if you want to. > my key to a keyserver the other day, can anyone verify that out there? when My gpg automatically downloaded it from there upon reading your mail. > i read people's mail that is signed, i almost always says "can't verify" is > that because i don't have their key on my keyring (or that i don't have mutt > configured to auto grab / attempt from a keyserver)? sorry for the lame echo "keyserver-options auto-key-retrieve verbose" >> .gnupg/gpg.conf Christoph -- Christoph Berg <cb@xxxxxxxxxxxxxxxx>, http://www.df7cb.de/ Wohnheim D, 2405, Universität des Saarlandes, 0681/9657944
Attachment:
signature.asc
Description: Digital signature