[Enigmail] and for my first mistake...

John W. Moore III jmoore3rd at bellsouth.net
Mon Jun 30 13:21:32 PDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Faramir wrote:
> Taum Hanlon escribió:
>> I first generated a key using RSA 4096 and then read that I should use
>> the default DSA/ElGamal ... so I got rid of it and generated the type
>> recommended in the FAQ.
> 
>   There is no problem using RSA keys, however, 4096 may be a bit too
> much... most people seem to think 2048 is good enough (in fact, some
> think 1024 is good enough). But it is your decision, these are standard
> keys, so all of them are valid (as far as I know).

You "know" correctly.

>> I have a question regarding setting owner trust and signing.
>> If you trust somebody and sign their key, the manual says it is good
>> etiquette to send them the new signed key and allow them to upload to a
>> key server.
>> Does this mean that everytime your key is signed you need to upload it
>> to a key server to have that signture?
> 
>   Ehh... there are 2 ways to sing a key, local (non exportable) and
> "normal" (I don't know the name for that one). With local option, you
> sign the key to be able to send encrypted messages to that recipient,
> but you don't let other people know you trust that recipient. With the
> other option, you let people to see your signature... but for that, they
> need to access the key signed by you. If the key is hosted in a key
> server, like pool.sks-keyservers.net, you can export the public keys to
> that servers, and that way you will make yous sign to appear in the
> public key of your recipient. But if his/her public key is hosted only
> in a web site, then you would need to send him/her the signed key, in
> order he/she can update the hosted key file.

OK, quick discussion of Netiquette as it applies to OpenPGP Keys;
/always/ return the Key signed by You to the Key Owner.  Common Courtesy
[an oxymoron] dictates that they be allowed to maintain as much control
over what is broadcast on or about their Key as possible.

Here is a quick Example:  Say I create a Key with the UID: Chilean
Revolutionary Militia and then 'Trust Sign' Your Key with it.  Do You
really want Me to then Upload that to the Keyservers so that everyone
for all time will think that You are a Revolutionary?  Remember, the old
saying about "a moment on the lips, forever on the hips" with regard to
weight reduction.  Once I tag Your Key with a Sig, desired or not, it is
forever.  :(
> 
>   Another option is to have the key in a web site _and_ in a
> keyserver... that way, people can download it from the website (and they
> can be more secure about that is the right key), and they can sign it,
> and export it to the keyserver. The key owner can retrieve his own
> public key form the keyserver, from time to time, (that way he/she would
> get the version with most signatures), and use it to update the
> webhosted keyfile. Or people can check the signatures from keyservers,
> and they would update the signatures in the key...

Another option is to utilize Big Lumber [www.biglumber.com] and maintain
an 'Official Copy' of Your Key there.  You have complete control of what
appears on the Key [Sigs, Preferences, etc.] and can Publish the Link in
either a Comment Line, Signature or within the Header.
> 
>> Also, can a key be signed by multiple people before it is uploaded to a
>> key server?  (I'm wondering how 'key parties' work)

Sure, You can Upload Your Key as often as You desire.
> 
>   For what I have read here, it is suggested to go to the 'key party'
> carrying a lot of pieces of paper with your key ID printed on it, and
> your ID card (you will need it to prove you really are you). Then,
> people see your ID card, see your face, compare them, and if they are
> convinced you are you, they take one of those pieces of papers and bring
> it home. Once at home, they take the papers, and begin to download and
> sign these keys, after that, they upload them to the keyserver, and that
> is all.

Again, 'Best Practice' would be to 'Sign those Keys & return them signed
to the Key Owner.  ;)

JOHN 8-)
Timestamp: Monday 30 Jun 2008, 16:19  --400 (Eastern Daylight Time)

P.S.  By un-Official agreement; JOHN [all CAPS] indicates Me and John or
John C. indicates Mr. Clizbe.  While We rarely disagree, it does happen
and both of Us have Our fur rubbed the wrong way when 'quotes' are
mis-represented.  ;)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.5.0-svn4754: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage:  http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJIaUBLAAoJEBCGy9eAtCsP1xIIAKLYu/1C4Dr6cmEMc9DgZHJP
V8RFuxt1ozys/qzzBaSvowllp6XgrlQO9pxxmvu6kmfVeoV9D4LScc9KxaZ8uPLc
sNvXkAhhDSV5/dkz+pZCPp99VKa1ztiSkGXJBA9SgHz7vY5n+Dcw4my1MABdwWd9
tWzXUQqO6IDtyMKAIblewYm6Xyqn7KFBuNe6HSUMqpWf1U2ESU0x3QfnV5kWxo5d
C+b0uiv7sSCwwa0aaUMoj7QABj36GRqS9YLPjvakE90oMvgsXTDgOYKzbgGFyUXl
NJzHiOqdartdMgL1n740nk80Q/HcwEGelF1+qmeCoo5J+6JfLFRwI5xb+H7KTJY=
=JpBd
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list