Getting PGP

Sandy Harris sandyinchina at gmail.com
Mon Jun 8 23:43:20 UTC 2009


Karl F. Larsen<klarsen1 at gmail.com> wrote:

>>  The idea was that when you associated a public key with your email
>> address, you uploaded it to this key server and anybody who wants to send
>> you an encrypted email could lookup your public key to encrypt your email
>> with.
>>
>> I have no idea if this kind of thing still exists, but it made GPG rather
>> usable and friendly that way.
>
>        Now there are several places to send your Public Key to. I sent mine to
> one of them with enigmail and I assume it got there. But should check I
> guess.
>
>        I just deleted my first Key Set which in ignorance I made 1024 instead
> of 2048. A couple of friends said my Public Key looks "funny", but it
> worked fine. My current key is 2048 and it also works fine. I did all
> this with enigmail.

Yes, there are a number of key servers but it is NOT enough to
just create a key, put it on a server, download keys for other
people and use them. You need to get signatures too.

Nothing prevents someone from lying when they create a key.
I can easily create a key in the name Karl F Larsen or George
Bush or Ubuntu Distribution Server or whatever.

What prevents such trickery is signatures on keys. You should
never trust a key unless you got it from a trustworthy source
or it has sigs from people you trust.

Get your friends to sign your key. Sign theirs. Update the
version on the server after you get a few sigs.

At conferences or your local Linux user group, look for
key-signing parties, sessions where people come with
good ID, you meet everyone and get a list of keys to
sign. Consider organising one; Ubuntu has software
for it in a package called "signing-party".

-- 
Sandy Harris,
Quanzhou, Fujian, China




More information about the ubuntu-users mailing list