Developer Forum

First of all sorry if my question is OT: I just don't know where to
post it, so pointers to more appropriate groups are welcome.

I'm using Mutt with GPG, and I want to publish my key in my headers
using the appropriate X headers.
I know that X headers aren't standardized, so I can put inside them
quite everything I want, but I'm interested in common practices and
better ways to distribute GPG keys.

By now I put inside my headers something like that:

my_hdr X-GPG-Keyserver: hkp://subkeys.pgp.net
my_hdr X-GPG-Fingerprint: D3C2 DB93 DF6A 601B A32B CEB1 4020 7E71 0DAA
3925

Thoughts ?

TIA and HAND,
ngw

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Just and clearsign your messages and users will
automagically get your key from keyservers.

-----BEGIN PGP SIGNATURE-----

iD8DBQFBLIbxZsrx6aBPZiwRAtq2AJ4h2Tp6UYEsUfcFqiRtWc9qkaBd4gCfY5ye
3ZTXp1f4aHsgfX1qiEouQxw=
=nNow
-----END PGP SIGNATURE-----

On Wed, 25 Aug 2004 14:22:39 +0200, Nicholas Wieland < XXXX@XXXXX.COM >:
...........................^^^

"hkp"?

See my headers for my approach.


--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.yqcomputer.com/ ~keeling
- - Spammers! http://www.yqcomputer.com/ ~keeling/spammers.html
http://www.yqcomputer.com/ ://www.netmeister.org/news/learn2quote.html

First thought: why? signatures etc contain the key id that was used to
make the signature etc. If your key is on public keyservers, it can be
automatically fetched by the program doing the signature verification.
People smart enough to look for key info in headers are usually smart
enough to have turned on automatic keyfetching. Who are you providing
this information to?

--
Every fleeting thought you've ever had in your life, no matter how bizarre,
is someone's lifelong obsession. And he has a website.
-- Skif's Internet Theorem

- Peter H. Coffin :

Well, I'm not an expert, I've read the fine manual thinking that it was
the right approach ...
Probably you're right, but, for example, what happens if someone read
mails offline (like me) ?

TIA,
ngw

Given that PGP keys are usually at least a couple of K each, please don't do
this. Put your key on a keyserver, and put the fingerprint in the headers.
That's just as good.

--
"Uh oh! Jimmy's been bit by a [redback spider | box jelly |
more-than-usually-toxic-platypus | puff adder | hoop snake | other vastly
venomous Australian fauna]! Skippy, go get....shit, too late. Skippy, go get
a shovel." -- Adam Thornton contemplates "Skippy"

Reading manuals is the right approach. Sometimes the manuals get a
little out of date, or put together by people that don't know all the
details or read a preliminary RFC written by someone else that didn't
know what they were talking about either. I don't know how many people
have asked about their favorite OS's implementation of RFC3514...

"Why do you want to do this?" questions aren't posed as a challenge of
"why do you have the right to know?" but to make sure that the right
problem is being solved.


They'll have to go online to get your key, won't they? Just read the
mail again, the key gets added to the public ring, and it's there for
future offline reading.

--
47. If I learn that a callow youth has begun a quest to destroy me, I will
slay him while he is still a callow youth instead of waiting for him to
mature.
--Peter Anspach's list of things to do as an Evil Overlord

That's what the OP was talking about doing, and it's not generally
necessary with PKE software not written by monkeys on *** .

--
"Friendship is born at that moment when one person says to another, 'What!
You too? I thought I was the only one!'"
--C.S. Lewis

If you're the recipient, it requires you to get a signed mail so that
you get the key if auto-fetching is enabled. But maybe you see a
non-signed mail on a public list and want to start a private
conversation using encryption so that you need to fetch the key by hand.
Or you search the web for mails on mailing lists from a certain person
you not yet received a mail from and thus need information about the key
to get it by hand. Or...

bye, Rocco
--
:wq!

No, the original poster was talking about putting the whole key in his
headers. I'm suggesting just the fingerprint, so that people can compare the
fingerprint of the key they get from the keyservers with the key that was
used to sign the message. Monkeys on any kind of drug don't really enter
into it.

--
Paul

16. I will never utter the sentence "But before I kill you, there's
just one thing I want to know."

- Paul Walker :


When I say I want to "publish" my key in my headers I mean exactly what
Peter said ... My fault, my english is not so good :)
Thanks everyone, I'll do as Paul suggested.

HAND,
ngw