On 7/27/2011 10:25 PM, Len Cooley wrote: > Well, let me ask you this. Is it useful/useless/ridiculous/orwhat to > attach your public key as a sig at the end of an email, such as below? >
Unless you're trying to keep your key 'off the grid' I'd just send the key to the keyservers. Then people who use OpenPGP will retrieve the key based on your email's signature. People who don't care will just ignore your sig, which will be smaller than your full public key. If you are trying to keep the key 'off the grid' then you don't want to include it as a generic signature either. In general, it's best to get the key from a different source than your signed email. If your signature and key are in the same email, an attacker could have forged both. They could in other circumstances as well, but it's less likely for someone to forge both a public key on the keyservers (or your personal website, or your business card, etc), and a signature on a forged email. They need to compromise two lines of defense. -- Grant
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users