Things we should know about PGP
If this discussion can't be stopped, than perhaps we can make it a
useful thread, by not talking about how to behave or not to behave on a
mailing list, by not talking about if we won't signed emails or not.
When the subject was "gpg/pgp noise" Jon Dowland wrote: "I clearly
explained that his key was signed by another he owned, which in turn was
signed by *someone else entirely*."
A chain of unsigned keys for one and the same person, with one key at
the end of this chain, that is signed by one person only or even enough
persons signing it, is useless. This isn't the correct way to sign a
key, since it's not secure and not handy.
You will handle the key directly by a web of trust, not by a chain of
own keys and not only signed by one person. You can do this by visiting
parties, where this is done.
OTOH, when do you really need signing? More likely is that you will
encrypt mails, e.g. to ensure that if you write to a family with young
children, using the same computer, only the parents can read mails with
contents that aren't good for children. In such a case it's not needed
to ensure that the key is trusted. It's only important that the parents
know how to decrypt and the children don't know it. This anyway prevents
against manipulating the mails content, without signing.
If you really need security, than you need to take care about many
things using PGP. I only use openPGP from time to time, to ensure that
just a special person can read this mail, but not to be completely
secure. I don't need knowledge about how to handle PGP correct and I
don't have got this knowledge.
Seemingly some people have completely wrong perceptions about e.g.
signing a key.
Instead of having something similar to a flame-war, some useful
information belongs to this list.
- Ralf
Reply to: