Yes, they could. But publishing all subkeys is simpler than publishing some of them. And key is usually generated with both sign and encryption subkey as many guides, howtos etc guide people to.
To look at such test emails from the other point of view just imagine that someone found your email on public repo/bugtracker/ml starts to spam you with test emails. Such an event certainly would upset me. Another thing which shocked me is statistics from Golang folks [1]. Brad Fitzpatrick said: > 99% of the PGP-encrypted emails we get to [email protected] are bogus security reports. Whereas "cleartext" security reports are only about 5-10% bogus. Getting a PGP-encrypted email to [email protected] has basically become a reliable signal that the report is going to be bogus, so I stopped caring about spending the 5 minutes decrypting the damn thing (logging in to the key server to get the key, remembering how to use gpg). > ... > In summary, the PGP tooling sucks (especially in gmail, but really everywhere) and it's too often used by people who are more interested in using PGP than reporting valid security issues. When he says "cleartext" it's plain text send over TLS MTA-to-MTA connections. Almost all mail providers use starttls now. [1]: https://news.ycombinator.com/item?id=14123388 вт, 30 мая 2017, 8:46 Ineiev <[email protected]>: > On Mon, May 29, 2017 at 11:52:27PM +0000, Konstantin Gribov wrote: > > > > As an example, many open source devs are publishing their keys which they > > use for signing software releases but rarely for encrypted communication. > > On the other hand, they could publish certificates without encrypting > subkeys. > -- Best regards, Konstantin Gribov
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
