Recipe 7.9 Sharing Public Keys
7.9.1 Problem
You want to obtain a
friend's public key securely but conveniently.
7.9.2 Solution
Most securely, get the public key on disk directly from your friend
in person. Barring that:
Obtain the public key by any means (e.g., email, keyserver [Recipe 7.19]). Add the key to your keyring. [Recipe 7.10] Before using the key, telephone its owner and ask him to read the key
fingerprint aloud. View the fingerprint with: $ gpg --fingerprint key_id If they match, you're done. If not, consider the key
suspect, delete it from your keyring, and don't use
it. If you trust the key, indicate this to
GnuPG: $ gpg --edit-key key_id
Command> trust and follow the prompts.
7.9.3 Discussion
Public keys are not secret, but they do require trust: the trust that
a given key actually belongs to its alleged owner. A
fingerprint can provide that
trust in a convenient form, easy to read aloud over a telephone.
Always verify the fingerprint before trusting a
public key. If you don't, consider this scenario:
You email your friend, asking for his public key. A snooper intercepts your email and sends you
his public key instead of your
friend's. You blindly add the snooper's public key to your
keyring, believing it to be your friend's. You encrypt sensitive mail using the snooper's key
and send it to your friend. The snooper intercepts your mail and decrypts it.
7.9.4 See Also
gpg(1).
|
