Discussion:
Your default keyserver and pgp workflow
(too old to reply)
Szczezuja.space
2023-03-26 15:09:07 UTC
Permalink
Hello,

Since I cleared my gpg configuration, I'm starting to think about
improving my workflow for signing, encrypting and decrypting messages.

It isn't connected only with mutt but probably many of you are using many
different approaches and it will be interesting to talk about that in
mutt/neomutt.

How do you manage your keys, do you use any keyserver? Do you use
autocrypt? Or do you manually invoke extract-keys from messages?

Best regards,
--
.-=-. Szczezuja; on the small-net:
( S\ \ gemini://szczezuja.space/ - gemlog & tinylog
`--' / gopher://sdf.org:70/0/users/szczezuja/ - phlog
Jorgen Grahn
2023-04-10 11:47:16 UTC
Permalink
Post by Szczezuja.space
Hello,
Since I cleared my gpg configuration, I'm starting to think about
improving my workflow for signing, encrypting and decrypting messages.
It isn't connected only with mutt but probably many of you are using many
different approaches and it will be interesting to talk about that in
mutt/neomutt.
How do you manage your keys, do you use any keyserver? Do you use
autocrypt? Or do you manually invoke extract-keys from messages?
Don't know if this helps, but I have a key, and it's available on key
servers (hkp://pool.sks-keyservers.net). I see that availability as
an invitation only; obviously you cannot trust that key based on
nothing else.

When sending mail I OpenPGP-sign with that key. However, I don't know
a lot of people who read mail nowadays, and I know only a handful who
know what OpenPGP is, and only one who uses it ... so even the signing
is more of a political statement than anything else. Or an empty
gesture, if you will.

It would be nice if people changed their minds, with the recent
attacks on privacy (at least in the EU). It's now clear to everybody
that if you trust anything but end-to-end encryption based on free
software, you're screwed.

/Jorgen
--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
Eike Rathke
2023-04-10 12:24:56 UTC
Permalink
Post by Jorgen Grahn
Don't know if this helps, but I have a key, and it's available on key
servers (hkp://pool.sks-keyservers.net).
Do not use sks-keyservers anymore (isn't that dead already anyway? DNS
doesn't resolve).

Reason: they may serve poisoned keys flooded with certificates.
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
https://lwn.net/Articles/792366/
https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
https://code.firstlook.media/the-death-of-sks-pgp-keyservers-and-how-first-look-media-is-handling-it

Use https://keys.openpgp.org/ instead and don't forget to verify uids by
replying to sent mails. Also good to use is https://keys.mailvelope.com/
verifying keyserver.

Eike
--
OpenPGP/GnuPG encrypted mail preferred in all private communication.
GPG key 0x6A6CD5B765632D3A - 2265 D7F3 A7B0 95CC 3918 630B 6A6C D5B7 6563 2D3A
Use LibreOffice! https://www.libreoffice.org/
Szczezuja.space
2023-04-23 15:32:04 UTC
Permalink
Post by Eike Rathke
Post by Jorgen Grahn
Don't know if this helps, but I have a key, and it's available on key
servers (hkp://pool.sks-keyservers.net).
Do not use sks-keyservers anymore (isn't that dead already anyway? DNS
doesn't resolve).
Reason: they may serve poisoned keys flooded with certificates.
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
https://lwn.net/Articles/792366/
https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
https://code.firstlook.media/the-death-of-sks-pgp-keyservers-and-how-first-look-media-is-handling-it
Use https://keys.openpgp.org/ instead and don't forget to verify uids by
replying to sent mails. Also good to use is https://keys.mailvelope.com/
verifying keyserver.
Thanks for your responses. So it was confusing for me because in the
default gpg.conf you can read that:

# Note that most servers (with the notable exception of
# ldap://keyserver.pgp.com) synchronize changes with each other. Note
# also that a single server name may actually point to multiple
# servers via DNS round-robin. hkp://keys.gnupg.net is an example of
# such a "server", which spreads the load over a number of physical
# servers.

So I was using that default gnupg.net key server. But I also came across on
keys.openpgp.org server. But that server doesn't exchange key with others.
There are also a more commercial keyserver.ubuntu.com and so on.
And I had an e-mail from person who are using openpgp.org server, while
I had in my config gnupg.net server. And it brought a problem, because I
had must looking for other server. So I'm confused. Because probably it is
possible to exists so many local servers. And how to manage that?
Especially when you are inside mutt.

I was asking also because there are other solutions like for eg.
autocrypt. It's looking nice, and neomutt supports that. But in my
neighborhood it isn't spotted.
--
.-=-. Szczezuja; on the small-net:
( S\ \ gemini://szczezuja.space/ - gemlog & tinylog
`--' / gopher://sdf.org:70/0/users/szczezuja/ - phlog
Loading...