PGP: looking for advice on settings

Andrew Webber pmmail@rpglink.com
Wed, 22 Mar 2000 18:25:53 -0500 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 22 Mar 2000 18:12:09 -0400 (AST), Trevor Smith wrote:

>On the other hand, if you turn it off, you'll need to 
>type your pass phrase every time you sign anything 
>or open any encrypted messages.

I suppose it would be less work to exit PMMail when I leave my desk
(this only addresses physical access).


>That is correct. Signing every message is also good and 
>bad though.  If your recipient doesn't have or care about 
>PGP, it is needlessly making every message larger. 
>Personally I don't think this is an issue but I have a 
>smokin' fast Internet connection. On the plus side, if 
>you sign every message, you and others have some 
>evidence that you wrote them, if the need for proof 
>should ever arise.

I just switched from cablemodem (smokin' fast) to ADSL/1-meg-modem
(reasonably brisk).  But even at 33.6, even dialled into a local
Compuserve node, or even dialled long distance mid-day from
California to my ISP in Ottawa, I didn't consider that signature
block to be a significant addition to the load.  This was when I
used PMMail98 Standard Edition, i.e. until this morning. ;)


>The fingerprint is a "summary" of your public key (or 
>something like that). If I have your fingerprint and your 
>public key, I can confirm that the key is valid,

Is there any easy way to compare them in PMMail?


On Wed, 22 Mar 2000 14:17:03 -0800, Steve Lamb wrote:

>> 3. Include public key on every outgoing message: defaults 
>> to "no".  Should I be doing this?  This would seem 
>> pretty pushy since they should only need to get it once, 
>> right?
>
>Correct.  Create a filter to send it if they request it and 
>put the key up on the public servers and you should be cool.

Is it much of a security risk to put it on a public server?  I was
thinking of an un-linked, un-titled page on my website.  Or just
emailing it out on request.  How big is a public key, anyway?  (I
mean if I create a "2048 bit" key what impact is it 256k when I
email it?

Thanks to you both for the comments and suggestions!


Uh oh, something strange just happened while I was writing this.

- - I sent a signed but unencrypted email to a friend who I'm pretty
sure doesn't have PGP support.
- - He replied, I assume including my PGP signature block as part of
the quoted material.
- - His reply has a yellow key in my inbox.
- - When I open the email it says it was signed by me, at the same
time as my earlier message to him!

Is this normal?

And what's the difference between a yellow key and a grey key?

Thanks again!


andrew
- ------
current local weather: http://cnn.com/WEATHER/html/OttawaOntario.html



-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies.

iQA/AwUBONlWgGyNWkS9bbCHEQK+iQCgmcJHUuKPKqYTqopdwDoNXGMeNRQAoJsk
CNBF96JY2b9wh1YZ+FPhQy4l
=hDI/
-----END PGP SIGNATURE-----