<<< Date Index >>>     <<< Thread Index >>>

Re: i think my gpg is setup correctly..



Re: i think my gpg is setup correctly.. ["[jacob]" <jacob@xxxxxxxxxxxxxxx>, 
Tue, Oct 21, 2003 at 12:40:09AM -0500, <20031021054009.GH14755@xxxxxxxxxxxxxxx>]
>    i think that i have my gpg setup correctly, and i got the lines for my
> .muttrc from : http://codesorcery.net/mutt/mutt-gnupg-howto.  i guess i just
> want to know if it looks correct :)

It does.

> actually, i did have a few questions.  i
> have seen people including links to there pubkey in headers (which i am
> attempting to do) and i have also seen people just post their key num (i
> think that is what it is) or fingerprint in their sig (like i did below).
> why is this exactly?  is it possibly because they could have multiple keys
> out there and they want you to know which to valide against?  i also exported

There are two reasons for doing so: First, to enable other people to get
your key. In practice, the keyid (plus a key server) should be enough
for that, but there are keyids with several keys (try 0xDEADBEEF ;-).
You could use the long, 8-byte keyid in that case. As gpg can
automatically download keys from keyservers, this doesn't make that much
sense, and an URL where you keep an ASCII file with your key is probably
better.

Second, people could try to "sign" the message by including the
fingerprint (which is -in contrast to the keyid- believed to be secure).
But that's nonsense, as the message is already gpg-signed, and just
including your fingerprint won't convince me at all that the key
actually belongs to the person you are claiming to be.

In conclusion, remove the gpg stuff from your sig, and include a
X-PGP-something header pointing to your homepage or a keyserver if you
want to.

> my key to a keyserver the other day, can anyone verify that out there?  when

My gpg automatically downloaded it from there upon reading your mail.

> i read people's mail that is signed, i almost always says "can't verify" is
> that because i don't have their key on my keyring (or that i don't have mutt
> configured to auto grab / attempt from a keyserver)?  sorry for the lame

echo "keyserver-options auto-key-retrieve verbose" >> .gnupg/gpg.conf

Christoph
-- 
Christoph Berg <cb@xxxxxxxxxxxxxxxx>, http://www.df7cb.de/
Wohnheim D, 2405, Universität des Saarlandes, 0681/9657944

Attachment: signature.asc
Description: Digital signature