[Users] Importing PGP keys

Ralf Mardorf info.mardorf at rocketmail.com
Thu Oct 22 13:56:16 CEST 2015


On Thu, 22 Oct 2015 12:32:07 +0100, Paul wrote:
>On Thu, 22 Oct 2015 13:12:44 +0200
>Ralf Mardorf <info.mardorf at rocketmail.com> wrote: 
>
>> Importing keys to check singed mails without a web
>>     of trust is ridiculous.  
>
>What do you do when you want to verify the authenticity of a
>download, for exxample? It's a rhetorical question.

Hi Paul,

there always is the need to trust.

If you e.g. download a package, you need to trust the maintainer, you
need to trust the web of trust, that validates the public key of the
maintainer.

However, just downloading a public key from a server, without a web of
trust, or without getting the key from the owner private and not via
Internet, isn't secure.

Lapidary rhetorical questions to avoid a reply are exactly the reason
that I use gpg very seldom nowadays. Because it isn't discussed how gpg
works, it in most cases is used incorrectly, IOW it's not only rendered
useless, it becomes dangerous, since users guess something is secure,
while it isn't secure. It's better to be aware that something is
insecure, if it's insecure.

There are several pitfalls, some people e.g. even store messages
decrypted.

Security under Linux comes with a lot of myths for inexperienced users.

Some already consider downloading something and verifying it with a
checksum as being secure, but even a signed checksum is _not_ secure,
as long as the user can not validate the ownership of the public key.

Regards,
Ralf



More information about the Users mailing list