On 2023-01-23 22:11, Dave Howorth wrote:
On Mon, 23 Jan 2023 19:47:58 +0100 Per Jessen <> wrote:
Carlos E. R. wrote:
So the only thing people can do is share their keys manually, attaching them to email.
Okay - but surely not on every email :-)
Didn't this thread start because somebody was doing exactly that?
In any case though, if I impersonate Carlos then sign the message with a key of my own (which I haven't publically acknowledged) and send the public key with the message, doesn't that defeat the whole point of signing messages?
Yes. In my case, though, then I'd say that my key is the same one for over a decade, while the new "forged" key is recent. I could be believed or not.
You have to use some other channel to distribute the keys - e.g. a web of trust.
No, it works in parallel, when PGP is involved. You have to sign the keys of the people that you personally meet, and upload this data to the keyservers for others to import. https://en.wikipedia.org/wiki/Web_of_trust Problem is that the servers are dead. PGP is dying. The other method is using certificates issued by an authority (S/MIME, PKCS). But the resulting signatures are quite bigger than PGP (I just did a quick test, and my signature for a blank email is 7KB). https://en.wikipedia.org/wiki/S/MIME https://en.wikipedia.org/wiki/PKCS -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)