Hi On Wed, Nov 13, 2002 at 02:58:38PM +0530, Sandip P Deshmukh wrote: > hello all > > i have installed gnupg and will like to sign my mails. > > now, i have read gnupg documentation as well as mutt documentation. Good! > however, considering the security aspects, i will like to verify my > undersatnding before i actually go out and sign my messages. > > here is what i have done successfully: > > generated a key pair for myself > > i can already see some signatures when i issue gpg --list-keys That will probably be the standard self-signatures. > now, what do i have to do so that: > > i can sign all outgoing messages automatically? > > i know i have to modify .muttrc but there is a section on pgp and not > on gnupg. can i use the same command? Yep. You should be able to just add: set pgp_autosign somewhere in .muttrc There are loads of other settings as well, but the default mutt config is quite sensible - it defaults to gnupg. If in doubt, check /etc/Muttrc. > is there a risk of someone else compromising my public/ private key? > > what care do i have to take? That depends entirely on the security of your box. Or more precisely: whether $HOME/.gnupg/secring.gpg is secure. So normal security precautions apply. E.g. if it is a laptop, and it gets stolen, you should assume that the key has been compromised. Never the less, choose a good passphrase on your key - not just a passWORD. Some obscure mixed-language sentence with punctuation marks and digits scattered around will probably do nicely. apt-get install gnupg-doc and point your browser to: http://localhost/doc/gnupg-doc/GNU_Privacy_Handbook/html/wise.html#AEN494 explains it better than me. > lastly, how do i make sure that users who receive my signed messages > can actually verify that my signature? two things: a) The must have access to your public key. This is usually done by uploading your key to one (or several) of the many keyservers around. $HOME/.gnupg/options should list a couple by default (commented out IIRC). b) They must trust that you are actually the keeper of the corresponding secret key. This means physically meeting people and collecting signatures on your key from other people (web-of-trust). This is the hard and time-consuming bit... HTH -- Karl E. Jørgensen karl@jorgensen.com http://karl.jorgensen.com ==== Today's fortune: Optimization hinders evolution.
Attachment:
pgp0cXYv2s__a.pgp
Description: PGP signature