Re: Do you auto fetch GPG keys?
When reading your message and also some other encrypted message,
why it shows "PGP signature could NOT be verified.".
Is it the normal situation?
Thank you.
Ye Fei
On 2006-06-15, Ren? Clerc (rene@xxxxxxxx) wrote:
> Hi Chris,
>
> Some small, SIMPLIFIED, remarks on this subject..
>
> * Chris Willard <chris@xxxxxxxxxxxxxxxxx> [15-06-2006 21:30]:
>
> > There seem to be 2 opinions regarding the automatic downloading of keys
> > from key servers. Some say that it is OK and others think that it is a
> > security risk!
>
> Security risk? Nahh..
>
> > From what I understand if I download a key then I know that a message I
> > receive has been signed or encrypted by the key but I can not be sure
> > that the key is from the person due to man in the middle attacks?
>
> Indeed, you cannot be sure. That's why you need to be careful to
> attach any significance to the signature..
>
> > From what I have read it is OK to download but then to be sure that the
> > key is actually from the intended recipient we need to confirm our key
> > fingerprints.
>
> This is true. Then you can be (more) sure that the key belongs to the
> person you thought it belongs.
>
> > Any opinions on these would be appreciated as I am not sure to download
> > keys or not at the moment!
>
> The main reason I stopped auto-importing keys is the fact that the
> signature from an unknown person with a certain key doesn't have any
> value to me, IN COMBINATION with the fact that my keyring was growing
> tremendously -- for no real security reason.
>
> --
> Ren? Clerc - (rene@xxxxxxxx) - PGP: 0x9ACE0AC7
>
> A gal is like a race horse - I play her to win.
> But if I should loose her, another may come in.
> -Dean Martin