[horde] Importing PGP keys

Simon B simon.buongiorno at gmail.com
Thu Aug 27 16:53:02 UTC 2015


On 27 Aug 2015 16:13, "Stefan Suurmeijer" <stefan at raptorweb.nl> wrote:
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08/27/15 15:40, Arjen de Korte wrote:
> > Citeren Stefan Suurmeijer <stefan at raptorweb.nl>:
> >
> >> Hi Jan/List,
> >>
> >> a different question: the PGP encryption option in webmail is great,
but
> >> is it strictly necessary to manually import a public key for every
> >> recipient you want to send to?
> >
> > Yes. If you want/need to send encrypted messages, you must make
> absolutely sure that the public keys belongs to the person you want to
> send a message to (and not from someone who is impersonating this person
> and uploaded a rogue key to the public keyservers). Horde can't do that
> for you automatically, this needs to be done by other means (checking in
> person, web-of-trust, etc).
>
> While that is true, there are other ways of achieving that. A good
> practice over here (that I use myself) is to include my PGP fingerprint
> in both my e-mail signature and on my business card. It would be very
> easy to import a public key from a keyserver and check the fingerprint.
> On the off chance I'd have to send to someone that I had no PGP
> knowledge about, it would still be a lot faster to just call them and
> check the key I imported (again through the fingerprint or other
> relevant data) than having them export their key and e-mail it to me
> Plus, for the other organization I work for, all valid keys are signed
> by our certificate authority (the security manager) which, again, is
> easily verifiable.
> So while I agree with you on principle, I don't see any objection to
> just using a keyserver to import the public keys. Verification can be
> done in other ways

What you describe as good practice is merely out-sourcing the verification
to someone/thing else.

This is the reason PKI is broken.

https://www.schneier.com/paper-pki-ft.txt

Simon

> >> If so, what is the keyserver option under horde -> gnupg for, if not
for
> >> importing keys?
> >
> > For verifying signatures. Even then, if a key was found on a public
> keyserver, Horde will show that the signature is valid, but still emits
> a warning that it is not trusted.
>
> OK, check. Thanks
>
> Anyway, I might make a feature request of it ;-)
>
> KR
> Stefan
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iEYEARECAAYFAlXfGrMACgkQI4VvirxFn4a48QCeODfl/GqABSD8cSvLyvuTw9cI
> sYoAn1eOGLYc/fseSBfGW5A+MWo0itwg
> =NTwA
> -----END PGP SIGNATURE-----
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org


More information about the horde mailing list