GPG signed email

Dennis Gilmore wrote: > PLease upload your gpg public key to a key server no. i do not care to have my email address added to more spam list. > or stop signing emails you send to fedora list. no. no one else is complaining. maybe they know something you do not.

I wrote an email today asking someone who seems to post a bit to fedora-list@redhat.com to please upload his puplic key to a keyserver. and got the above as a response 🙁 to me this fails in a few ways. The Person doesn’t use his/her name, which I personally don’t feel is in the spirit of open source. While its not really needed to upload your key to a public key server if your going to mail public forums its a nice thing to do. Im not going to trust you because your key is out there. If I kept seeing email thats signed by you I’ll have a decent idea that the person posting is the same person (not always true but an ok assumption). kmail hangs briefly each time I get an email from someone that signed that I dont have a copy of the public key. It’s looking to see if it can get the key from a server. so frequently getting email from someone who doesnt have a key up on a server really sucks. http://stuff.mit.edu/afs/dev/project/evolution/arch/i386_linux24/share/gnome/help/evolution/no/encryption.html says “Why Use a Keyserver?: Keyservers store your public keys for you so that your friends can decrypt your messages. If you choose not to use a keyserver, you can manually send your people public key, include it in your signature file, or put it on your own web page. However, it’s easier to publish them once, and then let people download them from the keyserver when they want.” of course the email is signed and not encypted but its a similliar situation. Really do people get spam from being listed on a keyserver? I highly doubt it. I personally believe you are much more likely to get spam from posting to public mailing lists.

So maybe im missing something here, i’m always willing to accept that i’m wrong. The result of the reply is that the person now has a filter in procmail that sends all email from them to /dev/null it eliminates the problem for me. I wanted to just get it out there that you should be a good citizen and upload your key to a keyserevr. Many years ago I changed keys and thought i had uploaded my new key and had not. When it was pointed out to me I gladly corrected the issue. PKI works on trust, not publishing your key doesnt help that trust.