Re: retrieving gpg-keys

To: mutt-users@xxxxxxxx
Subject: Re: retrieving gpg-keys
From: "Stewart V. Wright" <svwright+lists@xxxxxxxxxxxxxx>
Date: Sun, 7 Nov 2004 12:16:47 -0600
In-reply-to: <20041107160415.GJ3969@xxxxxxxxxxxx>
List-unsubscribe: <mailto:mutt-users-request@mutt.org?body=unsubscribe>
Mail-followup-to: mutt-users@xxxxxxxx
References: <20041107114633.GD3969@xxxxxxxxxxxx> <20041107152940.GA31853@xxxxxxxxxxxxxxxxxxx> <20041107160415.GJ3969@xxxxxxxxxxxx>
Sender: owner-mutt-users@xxxxxxxx
User-agent: Mutt/1.5.6i

G'day Jens,

* Jens Kubieziel <mutt-user@xxxxxxxxxxxx> [041107 10:10]:
> > Go to for ex. pgp.mit.edu or add this line to your ~/.gnupg/options file 
> > keyserver pgp.mit.edu
> 
> I use random.sks.keyserver.penguin.de or subkeys.pgp.net as keyserver
> and auto-key-retrieve is set. However it doesn't seem to work.

Big hint here... RTFM for GnuPG.  auto-key-retrieve is described as:
        This option enables  the  automatic  retrieving  of
        keys  from  a  keyserver  when verifying signatures
        made by keys that are not on the local keyring.

Spoiler: What you are asking for is NOT built in to mutt.  You might be 
able to hack something together, but do you really want to?

To get someone's (Open-)PGP key, you need to know somewhere to get it 
from.  You seem to trust a couple of web sites so either use their web 
interfaces or read the GnuPG man page to see if there is an a way to do it 
from the command line.  Of course the other option is to mail the person 
who you want to converse with and as for the key to be sent to you.

Doing this sort of preemptive key retrieval is bad on sooooo many levels.  
Firstly there is the network overhead.  How many people actually use 
Open-PGP?  Not many.  So you will be thrashing the network every time you 
want to email a person who doesn't have a key (if you don't care about 
your network, think about the nice souls who have put up the key servers).  

The second major problem is the security aspect.  Having a key listed on 
one of the key servers means NOTHING.  There is no guarantee that a key 
that is listed as belonging to yourfriend@xxxxxxxxxxxx has anything to do 
with that person.  The security in Open-PGP comes from the Web of Trust - 
and then the source of the key becomes irrelevant.  That is why I said 
mail the person for their key.  If they (and you) are in the WoT then you 
can get their key directly and even then an attempted attack will fail 
(gross generalisation but true at some level).

Sorry for not helping with your problem, but hopefully you understand why 
it is a somewhat bad idea.


Cheers,

S.

Attachment: signature.asc
Description: Digital signature

Follow-Ups:
- Re: retrieving gpg-keys
  - From: Jens Kubieziel

References:
- retrieving gpg-keys
  - From: Jens Kubieziel
- Re: retrieving gpg-keys
  - From: Robert Kowalski
- Re: retrieving gpg-keys
  - From: Jens Kubieziel

Prev by Date: Re: retrieving gpg-keys
Next by Date: html mails as text in mutt
Previous by thread: Re: retrieving gpg-keys
Next by thread: Re: retrieving gpg-keys
Index(es):
- Date
- Thread