Wed, 27 Aug 2008

GPG signed email

Dennis Gilmore wrote:
> PLease upload your gpg public key to a key server

no. i do not care to have my email address added to more spam list.

> or stop signing emails you send to fedora list.

no. no one else is complaining. maybe they know something you do not.

I wrote an email today asking someone who seems to post a bit to fedora-list@redhat.com to please upload his puplic key to a keyserver. and got the above as a response :( to me this fails in a few ways. The Person doesn't use his/her name, which I personally don't feel is in the spirit of open source. While its not really needed to upload your key to a public key server if your going to mail public forums its a nice thing to do. Im not going to trust you because your key is out there. If I kept seeing email thats signed by you I'll have a decent idea that the person posting is the same person (not always true but an ok assumption). kmail hangs briefly each time I get an email from someone that signed that I dont have a copy of the public key. It's looking to see if it can get the key from a server. so frequently getting email from someone who doesnt have a key up on a server really sucks. http://stuff.mit.edu/afs/dev/project/evolution/arch/i386_linux24/share/gnome/help/evolution/no/encryption.html says "Why Use a Keyserver?: Keyservers store your public keys for you so that your friends can decrypt your messages. If you choose not to use a keyserver, you can manually send your people public key, include it in your signature file, or put it on your own web page. However, it's easier to publish them once, and then let people download them from the keyserver when they want." of course the email is signed and not encypted but its a similliar situation. Really do people get spam from being listed on a keyserver? I highly doubt it. I personally believe you are much more likely to get spam from posting to public mailing lists.

So maybe im missing something here, i'm always willing to accept that i'm wrong. The result of the reply is that the person now has a filter in procmail that sends all email from them to /dev/null it eliminates the problem for me. I wanted to just get it out there that you should be a good citizen and upload your key to a keyserevr. Many years ago I changed keys and thought i had uploaded my new key and had not. When it was pointed out to me I gladly corrected the issue. PKI works on trust, not publishing your key doesnt help that trust.


posted at: 04:36 | link | Tags , , , | 14 comments

Posted by David at Thu Aug 28 06:21:05 2008

Good post. I can see your frustrations in the matter. I have my key uploaded and I never thought it would fall victim to spam. Maybe it has, don't know, but spamassassin, and RBLs remove so much spam, I hardly get any these days.

Posted by robk at Thu Aug 28 11:20:48 2008

If you're still worried about address harvesting and spam in 2008, you probably should throw your laptop into the sea for fishes to sleep in, then withdraw to a cave somewhere, gnawing old bones and sucking water from lichen.

Posted by Evan at Thu Aug 28 13:54:17 2008

I don't know much about GPG and have never signed my emails so I'm not particularly qualified to comment on the matter, but what did stand out to me was the line:

> "kmail hangs briefly each time I get an email from someone that signed that I dont have a copy of the public key".

That seems like a bug to me.  I might concentrate more on getting that fixed than trying to change other people's behavior.

Posted by Alex at Sat Aug 30 22:20:55 2008

I have to say that since having my public key on a keysever, I have had considerably more spam than usual (and so has a friend who has done likewise).

But to post to public lists or to  send a lot of signed emails without having uploaded your public key is fairly discourteous.

Posted by Eric at Tue Sep 2 15:32:24 2008

Maybe the person can send their public key to the list so everyone will have it and they won't have to post it to the public key server.  A bit extreme but it is another solution.

Posted by KemoBull at Thu Sep 4 01:08:59 2008

Maybe the guy is just a dolt, not to mention socially challenged?

Posted by khiraly at Sun Sep 21 12:37:57 2008

>> "kmail hangs briefly each time I get an email
>> from someone that signed that I dont have a copy
>> of the public key".

> That seems like a bug to me.  I might
> concentrate more on getting that fixed than
> trying to change other people's behavior.

Im second that. Its a bug, and needs fixed in evolution.
Display a message, so you can read it. And search for a public key IN THE BACKGROUND.

And by the way. When do you REALLY need a public key?
Not when you read the message, but when you questionate who is the sender. In THAT case you want to download the public key, but it is clearly not the case here.

Or you need public key, if you want to send him an encrypted message. But Im pretty sure that you dont want to write him a PRIVATE message.

If I where a spammer, I would trust in email addresses which is listed on a keyserver more than some random email addresses from mailing lists.

Just my 2 cents.

So fixes evolution and

Posted by Stardust-Poptart at Sat Mar 21 17:18:21 2009

Good post, admin.

Posted by Locker at Sat Mar 28 11:28:15 2009

Good site, admin.

Posted by Locker at Sat Mar 28 11:29:12 2009

Good site, admin.

Posted by Владлен at Fri May 22 15:22:12 2009

спасибо за инфу!

Posted by reersalkara at Wed Dec 30 07:39:22 2009

Интересно написано....но многое остается непонятнымb

Posted by мобильный at Sun Jan 31 08:19:00 2010

Спасибки за инфо, давно искала что-то подобное

Posted by мобильный at Sun Jan 31 09:09:05 2010

Действительно полезняк! А то сколько не лазишь по нету сплошное бла бла бла. Но не тут, и это радует!

Name:


E-mail:


URL:


Comment: