On Tue, Jan 25, 2011 at 05:09:30PM +0530, Binand Sethumadhavan wrote: > 2011/1/25 Nitesh Mistry <[email protected]>: > > Wrong. In all my emails, I mention my PGP key id below my name. So anyone > > can download it from a public keyserver and verify it. Anyone who knows > > You see, I typed all that after checking whether the key is available > on keyserver1.pgp.com. It is not (that is the keyserver I have setup > my gpg to look for keys automatically).
I think its time you checked couple of other servers as well. I can confirm that my keys are hosted on atleast two public servers. > Even if I had found your key on a server, what does it tell me? > Nothing. Your key is not trusted by anyone at all; so what is the use? > The concept of Web of Trust is not utilized in your key at all. So first the problem was that there was no instruction in the mail on how to verify the signature, and now the problem is that it is not signed! BTW, how can one say that if it couldn't be found the key on the keyserver. > > Do not discard public key authentication/encryption as useless. They might > > be the last available avenues to protect privacy. IMHO, signing messages > > is a healthy practice. > > How exactly does simply *signing* messages with your private key > protect "privacy"? If you were *encrypting* messages with the > recipient's public key, I would have understood (though I'd imagine it > is of little value, considering this list is publicly archived), but > just signing? > > Do not overuse public key authentication/encryption. It is of value if > both encryption and signing is used in conjunction. For that, both > sender and recipient needs to have both public and private keys. > Either process alone has value only in very few use cases - posting to > a mailing list I don't think is one of them (unless you are someone > who is frequently impersonated - even then, without the WoT signing is > of little value). What better way to popularise use of pgp than to sign messages to a public mailing list. Atleast I came to know about it only when I saw them on these mailing lists. And if it doesn't get popular, how can we have more keysigning, and a strong web of trust. A case of chicken and egg? Is it really necessary that the key has to be signed before it can be used for signing? I believe signing messages also indicates ownership of the content of the message. And though the key is not signed at the moment, it can always be authenticated anytime, if anyone wants to. -- Regards, Nitesh Mistry | www.mistrynitesh.com PGP key id: A6FEF696 | 'geekosopher' on freenode irc
signature.asc
Description: Digital signature
-- http://mm.glug-bom.org/mailman/listinfo/linuxers

