<<< Date Index >>>     <<< Thread Index >>>

Re: about pgp-signed messages



On Tue, Nov 04, 2003 at 01:33:21PM -0500, David Yitzchak Cohen wrote:
> On Tue, Nov 04, 2003 at 12:43:44PM -0500, Rouben Rostamian wrote:
> 
> > I have not experimented with pgp-signing mainly because I am not quite
> > convinced of its value in casual communications, such as messages sent
> > to this, or any other, mailing list.
> 
> When some spammer starts sending all sorts of crap to a list you're on
> claiming to be you, you may rapidly become convinced of its value.

I am one who definetely sees its value, but I'm rather new to GPG and
I'm having some trouble with the automatic key fetching function in Mutt
(see further down).

> > On the other hand, I finds signed messages annoying.  I don't have
> > any of senders' public keys -- this is an international forum, after
> > all -- so pgp verification always fails.
> 
> Well, you can set GPG to automatically fetch keys, or you can manually fetch 
> keys you care about (which is what I do, with a handy little script).

How does this actually work? I have my pgp_getkeys_command set to:

gpg --keyserver hkp://wwwkeys.pgp.net --recv-keys %r

Should this work, provided that the sender of the signed email I'm
reading has its public key exported to this server (or any other? how
does HKP work?). And also, in your mail (the one I'm replying to now) I
see these headers:

X-GPG-Key: http://www.bigfatdave.com/dave/public.key
X-GPG-Key-Direct-Link: http://67.81.72.42:8000/dave/public.key
X-GPG-Key-Old-Location1: http://www.dave.tj/dave/public.key
X-GPG-Key-Old-Location2: http://www.dave.tj:8080/dave/public.key
X-GPG-Key-Old-Location3: http://www.dave.tj:8000/dave/public.key
X-GPG-Notice: Remember: if it ain't signed, don't assume I sent it!
s

Verification of your signature fails on my setup, how can I tell Mutt to
download your public key from the URL specified by the X-GPG-Key-Direct-Link
header and import it into my keyring? I've looked through the online
manual, but can't see anything about these headers, maybe I'm missing
something.

Sincerely,
Aron Stansvik


PS. Could you successfully verify the signature of this email? I have
exported my public key to hkp://wwwkeys.pgp.net. DS.

--
unemployed

Attachment: pgpl3EVxcQNFh.pgp
Description: PGP signature