On 02/25/2013 02:54 PM, Peter Loshin wrote:
Many thanks to Daniel Kahn Gillmor for pointing to the best practices
page (https://we.riseup.net/riseuplabs+paow/openpgp-best-practices);
this information is very helpful.
Some questions about the information on this page:
1. "Don't use pgp.mit.edu". Which keyserver *should* be used? I assume
that a pool is better than a particular server; is there one
particular pool that is preferred? What about
http://pool.sks-keyservers.net/?
Yes, that's a good one, and generally preferred.
2. On keeping an encrypted backup of my secret key material, what
method is recommended for doing that? (Presumably something like "gpg
--export-secret-keys | gpg --output secretkeymatter.gpg --symmetric"?)
If you're using a pass phrase, your key is already encrypted. Just save
it somewhere safe.
3. On using a keyserver with HKPS support: when I attempt to connect
(via Chrome) to https://sks-keyservers.net/, I get an error headlined
"The site's security certificate is not trusted!", stating " the
server presented a certificate issued by an entity that is not trusted
by your computer's operating system."
Yeah, they are using a self-signed certificate. A very dodgy decision in
an era where there are a non-zero number of widely accepted CAs that
will give out free certificates.
4. When I try to use hkps://sks-keyservers.net
The Best Practices page you posted above actually suggests:
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem
That worked for me, although I was a bit disappointed that placing the
cert at /etc/ssl/certs/ca.hkps.pool.sks-keyservers.net.cert didn't work
like all the docs said it should.
Does anyone know where/how to place the cert file on the system so that
it can be called by demand, rather than having to specify it in the
gpg.conf?
with GnuPG at the
command line, I get these messages:
gpgkeys: HTTP post error 1: unsupported protocol
gpg: keyserver internal error
gpg: keyserver send failed: Keyserver error
And when I try the same with the domain name only (sks-keyservers.net)
I get these messages:
: can't connect to `sks-keyservers.net': No route to host
gpgkeys: HTTP post error 7: couldn't connect: No route to host
gpg: keyserver internal error
gpg: keyserver send failed: Keyserver error
My question would be, am I doing something wrong or is the service unavailable?
You're doing something wrong. :) Follow the doc more closely.
Doug
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
