On Sunday 23 November 2003 14:00, Andy Stewart wrote:
While I was cleaning out my inbox e-mail folder, I ran across several e-mails from WLUG members which were digitally signed. I've recently upgraded to SuSE 9.0 and the 'new' version of KDE's Kmail flags these e-mails in bright yellow. Kmail is telling me that I don't have the senders public key available, and thus it isn't sure that the mail actually camed from the claimed sender.
you're probably using one of the latest versions of kmail so pgp integration is a breeze (i think this started around 3.1 with the inclusion of the Ägypten Project) http://kmail.kde.org/ http://www.gnupg.org/aegypten/ a pretty good HOWTO that is generic to any distro: http://kmail.kde.org/kmail-pgpmime-howto.html for you Gentoo wh0res: http://www.gentoo.org/doc/en/gnupg-user.xml
My question is this: how do I get someone's public key ?
with kmail/gnupg it *can* be automagic ... otherwise you could just use the web interfaces keyservers (like the mit one) provide or the cmdline interface gnupg provides (it's harsh :D) here's some nice options i use in my ~/.gnupg/gpg.conf file: keyserver x-hkp://pgp.mit.edu keyserver-options auto-key-retrieve keyserver-options verbose keyserver-options verbose keyserver-options verbose
1) How do I know that the public key I'm given really belongs to the person giving it ? Short of receiving it in person, and assuming that the person isn't an imposter, I suppose I eventually have to limit my level of paranoia to some level of trust. :-)
you hit it exactly ... there is NO way of knowing for sure unless you meet the person in real life and swap each others keys right then and there (it's actually what a lot of developers do when they meet at places like Linuxworld ... it sets up the basic web of trust pgp is built on) ... but then again we dont all need that level of paranoia when talking with other random wlug users do we ? ;) -mike