* Carlos E. R. <robin.listas@telefonica.net> [01-23-23 17:53]:
On 2023-01-23 22:11, Dave Howorth wrote:
On Mon, 23 Jan 2023 19:47:58 +0100 Per Jessen <> wrote:
Carlos E. R. wrote:
So the only thing people can do is share their keys manually, attaching them to email.
Okay - but surely not on every email :-)
Didn't this thread start because somebody was doing exactly that?
In any case though, if I impersonate Carlos then sign the message with a key of my own (which I haven't publically acknowledged) and send the public key with the message, doesn't that defeat the whole point of signing messages?
Yes.
In my case, though, then I'd say that my key is the same one for over a decade, while the new "forged" key is recent. I could be believed or not.
You have to use some other channel to distribute the keys - e.g. a web of trust.
No, it works in parallel, when PGP is involved. You have to sign the keys of the people that you personally meet, and upload this data to the keyservers for others to import.
<https://en.wikipedia.org/wiki/Web_of_trust>
Problem is that the servers are dead. PGP is dying.
The other method is using certificates issued by an authority (S/MIME, PKCS). But the resulting signatures are quite bigger than PGP (I just did a quick test, and my signature for a blank email is 7KB).
<https://en.wikipedia.org/wiki/S/MIME> <https://en.wikipedia.org/wiki/PKCS>
-- Cheers / Saludos,
Carlos E. R. (from 15.4 x86_64 at Telcontar)
another reason not to utilize certificates for such trivial matters as list traffic. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet oftc