[horde] Importing PGP keys

Stefan Suurmeijer stefan at raptorweb.nl
Thu Aug 27 14:12:13 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/27/15 15:40, Arjen de Korte wrote:
> Citeren Stefan Suurmeijer <stefan at raptorweb.nl>:
>
>> Hi Jan/List,
>>
>> a different question: the PGP encryption option in webmail is great, but
>> is it strictly necessary to manually import a public key for every
>> recipient you want to send to?
>
> Yes. If you want/need to send encrypted messages, you must make
absolutely sure that the public keys belongs to the person you want to
send a message to (and not from someone who is impersonating this person
and uploaded a rogue key to the public keyservers). Horde can't do that
for you automatically, this needs to be done by other means (checking in
person, web-of-trust, etc).

While that is true, there are other ways of achieving that. A good
practice over here (that I use myself) is to include my PGP fingerprint
in both my e-mail signature and on my business card. It would be very
easy to import a public key from a keyserver and check the fingerprint.
On the off chance I'd have to send to someone that I had no PGP
knowledge about, it would still be a lot faster to just call them and
check the key I imported (again through the fingerprint or other
relevant data) than having them export their key and e-mail it to me
Plus, for the other organization I work for, all valid keys are signed
by our certificate authority (the security manager) which, again, is
easily verifiable.
So while I agree with you on principle, I don't see any objection to
just using a keyserver to import the public keys. Verification can be
done in other ways


>
>> If so, what is the keyserver option under horde -> gnupg for, if not for
>> importing keys?
>
> For verifying signatures. Even then, if a key was found on a public
keyserver, Horde will show that the signature is valid, but still emits
a warning that it is not trusted.

OK, check. Thanks

Anyway, I might make a feature request of it ;-)

KR
Stefan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlXfGrMACgkQI4VvirxFn4a48QCeODfl/GqABSD8cSvLyvuTw9cI
sYoAn1eOGLYc/fseSBfGW5A+MWo0itwg
=NTwA
-----END PGP SIGNATURE-----



More information about the horde mailing list