[Enigmail] Hello Enigmail, new user here!

Phil Stracchino alaric at metrocast.net
Mon Mar 10 11:29:18 PDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dogssup wrote:
| Open source is awesome :)
|
| Now, I don't know exactly what I'm doing but I'm including my public key
| at the bottom.
|
| On peoples web pages they include their public key. Do I copy and paste
| (import) this into Enigmail to start encryption correspondence? How do
| I know this public key has not been altered and/or the person I intend
| my encrypted mail to go? For this reason, I'd think putting the public
| key on a server is safer to avoid the risk of it being altered? Sorry
| for all the questions!

You're correct that the keyservers are preferred, but not because it's
more secure in any way; it's simply more convenient.  (Enigmail provides
you with a simple way to send your key to the keyserver network via the
Key Management dialog, by the way.  Doing so is much preferred over
pasting your exported key into the message body.)


In fact, lacking any other authentication, you have *less* grounds to
trust a key retrieved from a keyserver than one posted on a website that
you have reasonable grounds for believing actually does belong to the
sender.  Anyone can post a spoofed key to a keyserver, pretending to be
someone else, especially if that person has not actually posted their
own key; but to post a spoofed key on my site in place of my own, for
example, a hypothetical attacker must first either compromise my
webserver, or misdirect you to a falsified web site using (for example)
a DNS cache poisoning attack or a cross-site scripting attack.
Regardless of how you obtain someone's key, though, unless you exchanged
keys face-to-face, you need to take additional steps to verify that key
(be it via some form of in-person verification, web-of-trust, or
whatever) before you can safely trust that key for any secure use.




- --
~  Phil Stracchino, CDK#2         ICBM: 43.5607, -71.355
~  Renaissance Man, Unix ronin, Perl hacker, Free Stater
~  alaric at caerllewys.net            alaric at metrocast.net
~          It's not the years, it's the mileage.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH1X3+0DfOju+hMkkRCAZxAKC2b9nUAqqVM8Usj704zYDZRQHBswCfaU0V
QULnlksWixiBkoQdjBk4ODs=
=L2u9
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list