Re: signing mails using gnupg

To: Debian User <debian-user@lists.debian.org>
Subject: Re: signing mails using gnupg
From: "Karl E. Jorgensen" <karl@jorgensen.com>
Date: Wed, 13 Nov 2002 11:24:30 +0000
Message-id: <[🔎] 20021113112430.GB14754@e-jorgensen.freeserve.co.uk>
Mail-followup-to: Debian User <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20021113092838.GA3092@deshmukh.work>
References: <[🔎] 20021113092838.GA3092@deshmukh.work>

Hi

On Wed, Nov 13, 2002 at 02:58:38PM +0530, Sandip P Deshmukh wrote:
> hello all
> 
> i have installed gnupg and will like to sign my mails.
> 
> now, i have read gnupg documentation as well as mutt documentation.

Good!

> however, considering the security aspects, i will like to verify my
> undersatnding before i actually go out and sign my messages.
> 
> here is what i have done successfully:
> 
> generated a key pair for myself
> 
> i can already see some signatures when i issue gpg --list-keys

That will probably be the standard self-signatures.

> now, what do i have to do so that:
> 
> i can sign all outgoing messages automatically?
> 
> i know i have to modify .muttrc but there is a section on pgp and not
> on gnupg. can i use the same command?

Yep.

You should be able to just add:
    set pgp_autosign
somewhere in .muttrc

There are loads of other settings as well, but the default mutt config
is quite sensible - it defaults to gnupg. If in doubt, check
/etc/Muttrc.

> is there a risk of someone else compromising my public/ private key?
>
> what care do i have to take?

That depends entirely on the security of your box. Or more precisely:
whether $HOME/.gnupg/secring.gpg is secure.

So normal security precautions apply. E.g. if it is a laptop, and it
gets stolen, you should assume that the key has been compromised. 

Never the less, choose a good passphrase on your key - not just a
passWORD. Some obscure mixed-language sentence with punctuation marks
and digits scattered around will probably do nicely.

apt-get install gnupg-doc and point your browser to:

    http://localhost/doc/gnupg-doc/GNU_Privacy_Handbook/html/wise.html#AEN494

explains it better than me.

> lastly, how do i make sure that users who receive my signed messages
> can actually verify that my signature?

two things:

a)  The must have access to your public key. This is usually done by
    uploading your key to one (or several) of the many keyservers
    around.  $HOME/.gnupg/options should list a couple by default
    (commented out IIRC).

b)  They must trust that you are actually the keeper of the
    corresponding secret key. This means physically meeting people and
    collecting signatures on your key from other people (web-of-trust).
    This is the hard and time-consuming bit...

HTH
-- 
Karl E. Jørgensen
karl@jorgensen.com        http://karl.jorgensen.com
==== Today's fortune:
Optimization hinders evolution.

Attachment: pgp0cXYv2s__a.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: signing mails using gnupg
  - From: Sandip P Deshmukh <deshmukh@escortsmumbai.com>
- Re: signing mails using gnupg
  - From: Rob Weir <rweir@softhome.net>

References:
- signing mails using gnupg
  - From: Sandip P Deshmukh <deshmukh@escortsmumbai.com>

Prev by Date: Mindi/Mondo: Images from Windows2000-Partitions
Next by Date: Apache (PHP not working)
Previous by thread: signing mails using gnupg
Next by thread: Re: signing mails using gnupg
Index(es):
- Date
- Thread