[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
On Tuesday 04 Nov 2003 8:33 pm, Brad Rogers wrote: > On Tue, 4 Nov 2003 18:10:46 +0000 > Neil Williams <linux@xxxxxxxxxxxxxx> wrote: > > Hello Neil, > > To retrieve keys automatically, go to the ~/.gnupg/ folder and look > > I always worry about auto key retrieval; Certainly, for most things, > it's fine, but when dealing with truly sensitive data, proof of key > validity is an absolute must. With auto-retrieve, I can't a high enough That is true, however, by retrieving the key from a keyserver you aren't validating the key, only the signature made by the key. To validate a key I need to exchange key fingerprints with photoID and email correspondence : i.e. a full keysigning protocol, the full procedure is in the keysigning FAQ on www.dclug.org.uk and it's quite involved. Proof of key validity is mandatory before I sign someone's key. But that is NOT the same as verifying a signature on an email or tarball. I'm lucky that I've been able to get my key signed by Phil Brooke, Simon Waters and Kai Hendry and latterly a few debian/KDE developers from Linux Expo and this has tied my key (and therefore most of the DCLUG keyring) into the 'strong set' of keys. It means that most GnuPG signatures on package tarballs can be verified and trusted via my settings in the web of trust. I trust Phil, he trusts Philip Hands (who I also met at Expo) and so on. That does not mean that I can sign a key just because Phil Brooke has signed it - it just means that I decide how far I can trust Phil Hands by how much I trust Phil Brooke. How far you go with the web of trust is an entirely personal decision. By validating a signature I am not validating the content - merely confirming that it has not been tampered during transit and that a genuine key has been used to sign it. The validity of the key is entirely separate and can only be decided using key signatures - the web of trust. (The validity of the content comes from the validity of the key not just the validity of the signature.) If you don't download the public key of the correspondent, what is the point of using GnuPG for your own emails? (I do sign email, you don't, no odds - it's all about choice and preference.) > trust level for it to be worth it. Yes you can - don't confuse trust with validity. Trust in a key is trusting that the key really belongs to the physical person specified - something that can ONLY be achieved using keysigning protocols (in which I include the web of trust although you might not). If the data is sensitive then it should be encrypted, not just signed. Only then does trust become of critical importance because I will not encrypt a reply to an encrypted email if GnuPG cannot trust the sender's key. > I know, I know; I'm overly cynical and pessimistic. Not at all, but just be clear on what auto-retrieve is about: 1. It does NOT have any role in key validity = trust. That comes later. 2. It is the simplest way of getting an up to date key for an unknown correspondent. 3. Signed email is not meant for sensitive data - it should be encrypted + signed. 4. If an unknown correspondent is sending or requesting sensitive data, the fact that the email is signed is of no consequence - you still need to trust the key before you can proceed. 5. auto-retrieve is only used for that first request - when someone on a mailing list etc. starts signing their emails for the first time. BTW. Keyservers are ideal to refresh your keys on a regular basis. The DCLUG site provides a script that refreshes all keys listed in the members database before exporting the keyring. Refreshing a key before using it to send encrypted *sensitive* data is the only way to be truly sure the key has not been revoked recently. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
Attachment:
pgp00036.pgp
Description: signature