PGP: looking for advice on settings

Trevor Smith pmmail@rpglink.com
Wed, 22 Mar 2000 18:12:09 -0400 (AST) 

On Wed, 22 Mar 2000 15:22:10 -0500, Andrew Webber wrote:

>1. Remember my passphrase this session: defaults to yes, I assume
>it's safe to do this.

It depends on how secure you need to be. If other people have access
to your computer, they may send mail that looks like it's from you or
they may be able to read your encrypted mail if you leave this option
on. On the other hand, if you turn it off, you'll need to type your
pass phrase every time you sign anything or open any encrypted
messages. This could be a major pain if you have a long pass phrase.

Unless you're really paranoid or you *really* can't afford to have
someone intercept your mail or impersonate you, I'd probably leave
the "remember it for this session" option on.

>2. Sign every outgoing message: I think this defaulted to "no" but
>I changed that to "yes".  The message I'm now composing has that
>button selected, I assume all I have to do is de-select it if I
>want to override for some strange reason?

That is correct. Signing every message is also good and bad though.
If your recipient doesn't have or care about PGP, it is needlessly
making every message larger. Personally I don't think this is an
issue but I have a smokin' fast Internet connection. On the plus
side, if you sign every message, you and others have some evidence
that you wrote them, if the need for proof should ever arise.

>3. Include public key on every outgoing message: defaults to "no". 
>Should I be doing this?  This would seem pretty pushy since they
>should only need to get it once, right?

True. Also, depending on the size of your key this can be a MAJOR
addition to each message. Imagine the email that has one line of
message and 50 lines of public key! Probably including your
fingerprint is sufficient.

>4. Include public key fingerprint on every outgoing message:  what
>about this?  The help file (which I never find useful) merely says
>"With this option turned on, your public key fingerprint is
>included at the end of all your messages."  I could have guessed
>that. :(

The fingerprint is a "summary" of your public key (or something like
that). If I have your fingerprint and your public key, I can confirm
that the key is valid, assuming I believe that the fingerprint is
genuine (i.e., it was *really* sent to me by you, and not someone
impersonating you).

Again, it all depends on how paranoid you are. If you're ultra
paranoid or need ultra security for some reason, the only really safe
way to know you and your correspondent have each other's genuine keys
is to physically exchange them in person. The fingerprint provides a
sort of in-between measure: you can email or exchange keys
electronically and then use a telephone to make a voice call and read
out the fingerprint of your key so the person knows he's received the
correct key.

So, including your fingerprint in an email isn't really necessary,
but I do it just for the hell of it. My theory is that if anyone
tries to impersonate me in the future, there will be a bunch of old
emails sitting on people's hard drives with my *real* PGP public key
fingerprint and they might realize that something is wrong.


-- 
 Trevor Smith          |          trevor@haligonian.com
 PGP public key available at: www.haligonian.com/trevor

PGP Public Key Fingerprint= A68C C4EC C163 5C0A 6CFA  671F 05D4 0B30 318B AFD6