[horde] Importing PGP keys

Stefan Suurmeijer stefan at raptorweb.nl
Thu Aug 27 22:28:09 UTC 2015

On 27-08-15 18:53, Simon B wrote:
> > > On 27 Aug 2015 16:13, "Stefan Suurmeijer" <stefan at raptorweb.nl
<mailto:stefan at raptorweb.nl>> wrote: > > > >
> > Yes. If you want/need to send encrypted messages, you must make
> absolutely sure that the public keys belongs to the person you want to
> send a message to (and not from someone who is impersonating this person
> and uploaded a rogue key to the public keyservers). Horde can't do that
> for you automatically, this needs to be done by other means (checking in
> person, web-of-trust, etc).
> While that is true, there are other ways of achieving that. A good
> practice over here (that I use myself) is to include my PGP fingerprint
> in both my e-mail signature and on my business card. It would be very
> easy to import a public key from a keyserver and check the fingerprint.
> On the off chance I'd have to send to someone that I had no PGP
> knowledge about, it would still be a lot faster to just call them and
> check the key I imported (again through the fingerprint or other
> relevant data) than having them export their key and e-mail it to me
> Plus, for the other organization I work for, all valid keys are signed
> by our certificate authority (the security manager) which, again, is
> easily verifiable.
> So while I agree with you on principle, I don't see any objection to
> just using a keyserver to import the public keys. Verification can be
> done in other ways
> > What you describe as good practice is merely out-sourcing the
> verification to someone/thing else.

The sender is always the person that has to verify if (s)he has the
correct key. It's not outsourcing, just making the necessary
verification easier.

> > This is the reason PKI is broken.
> > https://www.schneier.com/paper-pki-ft.txt

Well, a lot of kicking in open doors in that paper, but how is it
relevant to my question? No system that involves people is watertight.
In fact, probably no system not involving people is watertight (yet). If
someone really wants to break into your house, they're going to get in.
The point is to make it as difficult as possible


More information about the horde mailing list