1. Forum
  2. Usenet
  3. COMP.MAIL.MUTT

  • Your default keyserver and pgp workflow

    From Szczezuja.space@21:1/5 to All on Sun Mar 26 15:09:07 2023
    Hello,

    Since I cleared my gpg configuration, I'm starting to think about
    improving my workflow for signing, encrypting and decrypting messages.

    It isn't connected only with mutt but probably many of you are using many different approaches and it will be interesting to talk about that in mutt/neomutt.

    How do you manage your keys, do you use any keyserver? Do you use
    autocrypt? Or do you manually invoke extract-keys from messages?

    Best regards,

    --
    .-=-. Szczezuja; on the small-net:
    ( S\ \ gemini://szczezuja.space/ - gemlog & tinylog
    `--' / gopher://sdf.org:70/0/users/szczezuja/ - phlog

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jorgen Grahn@21:1/5 to Szczezuja.space on Mon Apr 10 11:47:16 2023
    On Sun, 2023-03-26, Szczezuja.space wrote:
    Hello,

    Since I cleared my gpg configuration, I'm starting to think about
    improving my workflow for signing, encrypting and decrypting messages.

    It isn't connected only with mutt but probably many of you are using many different approaches and it will be interesting to talk about that in mutt/neomutt.

    How do you manage your keys, do you use any keyserver? Do you use
    autocrypt? Or do you manually invoke extract-keys from messages?

    Don't know if this helps, but I have a key, and it's available on key
    servers (hkp://pool.sks-keyservers.net). I see that availability as
    an invitation only; obviously you cannot trust that key based on
    nothing else.

    When sending mail I OpenPGP-sign with that key. However, I don't know
    a lot of people who read mail nowadays, and I know only a handful who
    know what OpenPGP is, and only one who uses it ... so even the signing
    is more of a political statement than anything else. Or an empty
    gesture, if you will.

    It would be nice if people changed their minds, with the recent
    attacks on privacy (at least in the EU). It's now clear to everybody
    that if you trust anything but end-to-end encryption based on free
    software, you're screwed.

    /Jorgen

    --
    // Jorgen Grahn <grahn@ Oo o. . .
    \X/ snipabacken.se> O o .

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Eike Rathke@21:1/5 to All on Mon Apr 10 12:24:56 2023
    * Jorgen Grahn, 2023-04-10 11:47 UTC:
    Don't know if this helps, but I have a key, and it's available on key
    servers (hkp://pool.sks-keyservers.net).

    Do not use sks-keyservers anymore (isn't that dead already anyway? DNS
    doesn't resolve).

    Reason: they may serve poisoned keys flooded with certificates. https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f https://lwn.net/Articles/792366/ https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html https://code.firstlook.media/the-death-of-sks-pgp-keyservers-and-how-first-look-media-is-handling-it

    Use https://keys.openpgp.org/ instead and don't forget to verify uids by replying to sent mails. Also good to use is https://keys.mailvelope.com/ verifying keyserver.

    Eike

    --
    OpenPGP/GnuPG encrypted mail preferred in all private communication.
    GPG key 0x6A6CD5B765632D3A - 2265 D7F3 A7B0 95CC 3918 630B 6A6C D5B7 6563 2D3A Use LibreOffice! https://www.libreoffice.org/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Szczezuja.space@21:1/5 to Eike Rathke on Sun Apr 23 15:32:04 2023
    On 2023-04-10, Eike Rathke <[email protected]> wrote:
    * Jorgen Grahn, 2023-04-10 11:47 UTC:
    Don't know if this helps, but I have a key, and it's available on key
    servers (hkp://pool.sks-keyservers.net).

    Do not use sks-keyservers anymore (isn't that dead already anyway? DNS doesn't resolve).

    Reason: they may serve poisoned keys flooded with certificates. https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f https://lwn.net/Articles/792366/ https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html https://code.firstlook.media/the-death-of-sks-pgp-keyservers-and-how-first-look-media-is-handling-it

    Use https://keys.openpgp.org/ instead and don't forget to verify uids by replying to sent mails. Also good to use is https://keys.mailvelope.com/ verifying keyserver.

    Thanks for your responses. So it was confusing for me because in the
    default gpg.conf you can read that:

    # Note that most servers (with the notable exception of
    # ldap://keyserver.pgp.com) synchronize changes with each other. Note
    # also that a single server name may actually point to multiple
    # servers via DNS round-robin. hkp://keys.gnupg.net is an example of
    # such a "server", which spreads the load over a number of physical
    # servers.

    So I was using that default gnupg.net key server. But I also came across on keys.openpgp.org server. But that server doesn't exchange key with others. There are also a more commercial keyserver.ubuntu.com and so on.
    And I had an e-mail from person who are using openpgp.org server, while
    I had in my config gnupg.net server. And it brought a problem, because I
    had must looking for other server. So I'm confused. Because probably it is possible to exists so many local servers. And how to manage that?
    Especially when you are inside mutt.

    I was asking also because there are other solutions like for eg.
    autocrypt. It's looking nice, and neomutt supports that. But in my
    neighborhood it isn't spotted.

    --
    .-=-. Szczezuja; on the small-net:
    ( S\ \ gemini://szczezuja.space/ - gemlog & tinylog
    `--' / gopher://sdf.org:70/0/users/szczezuja/ - phlog

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)