On Tue, Jan 25, 2011 at 05:09:30PM +0530, Binand Sethumadhavan wrote:
2011/1/25 Nitesh Mistry mailbox@mistrynitesh.net:
Wrong. In all my emails, I mention my PGP key id below my name. So anyone can download it from a public keyserver and verify it. Anyone who knows
You see, I typed all that after checking whether the key is available on keyserver1.pgp.com. It is not (that is the keyserver I have setup my gpg to look for keys automatically).
I think its time you checked couple of other servers as well. I can confirm that my keys are hosted on atleast two public servers.
Even if I had found your key on a server, what does it tell me? Nothing. Your key is not trusted by anyone at all; so what is the use? The concept of Web of Trust is not utilized in your key at all.
So first the problem was that there was no instruction in the mail on how to verify the signature, and now the problem is that it is not signed! BTW, how can one say that if it couldn't be found the key on the keyserver.
Do not discard public key authentication/encryption as useless. They might be the last available avenues to protect privacy. IMHO, signing messages is a healthy practice.
How exactly does simply *signing* messages with your private key protect "privacy"? If you were *encrypting* messages with the recipient's public key, I would have understood (though I'd imagine it is of little value, considering this list is publicly archived), but just signing?
Do not overuse public key authentication/encryption. It is of value if both encryption and signing is used in conjunction. For that, both sender and recipient needs to have both public and private keys. Either process alone has value only in very few use cases - posting to a mailing list I don't think is one of them (unless you are someone who is frequently impersonated - even then, without the WoT signing is of little value).
What better way to popularise use of pgp than to sign messages to a public mailing list. Atleast I came to know about it only when I saw them on these mailing lists. And if it doesn't get popular, how can we have more keysigning, and a strong web of trust. A case of chicken and egg?
Is it really necessary that the key has to be signed before it can be used for signing?
I believe signing messages also indicates ownership of the content of the message. And though the key is not signed at the moment, it can always be authenticated anytime, if anyone wants to.