Does anyone know how to have an automatic association between a pgp public key and a 'specified by me' email address? As in, some people create gpg keys which do not include their email address, and I would have thought it trivial for me, in my own keyring, to associate a public key I have received, with one or more email addresses of my choosing (and / or the person's name, as fair as I know the name etc). gpg --edit-key HASH brings up a prompt, and help gives things like trust and list, and there is a "notation" sub command which sounds perfect for the job, but can only operate on private keys, not public keys. This all does not make sense to me. When someone sends me an email, signed with their private key, and I get a copy of their public key, I should be able to associate their public key, with their email address, even if their own signing of their pub/sub public key does not include that particular (or any) email address. What gives? TIA
On 07/01/2016 08:32 PM, Zenaan Harkness wrote:
Does anyone know how to have an automatic association between a pgp public key and a 'specified by me' email address?
That's easy in Enigmail.
As in, some people create gpg keys which do not include their email address, and I would have thought it trivial for me, in my own keyring, to associate a public key I have received, with one or more email addresses of my choosing (and / or the person's name, as fair as I know the name etc).
gpg --edit-key HASH brings up a prompt, and help gives things like trust and list, and there is a "notation" sub command which sounds perfect for the job, but can only operate on private keys, not public keys.
This all does not make sense to me. When someone sends me an email, signed with their private key, and I get a copy of their public key, I should be able to associate their public key, with their email address, even if their own signing of their pub/sub public key does not include that particular (or any) email address.
What gives?
TIA
On 07/01/2016 07:32 PM, Zenaan Harkness wrote:
Does anyone know how to have an automatic association between a pgp public key and a 'specified by me' email address?
As in, some people create gpg keys which do not include their email address, and I would have thought it trivial for me, in my own keyring, to associate a public key I have received, with one or more email addresses of my choosing (and / or the person's name, as fair as I know the name etc).
gpg --edit-key HASH brings up a prompt, and help gives things like trust and list, and there is a "notation" sub command which sounds perfect for the job, but can only operate on private keys, not public keys.
This all does not make sense to me. When someone sends me an email, signed with their private key, and I get a copy of their public key, I should be able to associate their public key, with their email address, even if their own signing of their pub/sub public key does not include that particular (or any) email address.
What gives?
TIA
What gives? Waiting for Juan to tell us how compromised gpg is and that you're a fed if you question his (snigger) authority.
On Fri, Jul 01, 2016 at 08:11:20PM -0700, Rayzer wrote:
Waiting for Juan to tell us how compromised gpg is and that you're a fed if you question his (snigger) authority.
===== https://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html Thu Nov 27 09:29:51 CET 2003 GnuPG's ElGamal signing keys compromised Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds. ====== Do you mean to see more like this from gpg? IIRC gpg used small number, to save picoseconds in computations and the attack fucked them with lattice reduction in nanoseconds... Not to mention the compatibility with pgp 0.0001, which makes keyid collisions trivial (the ubuntu comrades suffered from this few times).
On Jul 1, 2016, at 10:32 PM, Zenaan Harkness <zen@freedbms.net> wrote:
Does anyone know how to have an automatic association between a pgp public key and a 'specified by me' email address?
As in, some people create gpg keys which do not include their email address, and I would have thought it trivial for me, in my own keyring, to associate a public key I have received, with one or more email addresses of my choosing (and / or the person's name, as fair as I know the name etc).
gpg --edit-key HASH brings up a prompt, and help gives things like trust and list, and there is a "notation" sub command which sounds perfect for the job, but can only operate on private keys, not public keys.
This all does not make sense to me. When someone sends me an email, signed with their private key, and I get a copy of their public key, I should be able to associate their public key, with their email address, even if their own signing of their pub/sub public key does not include that particular (or any) email address.
What gives?
TIA
In the case of someone not including their email address in their key, you will probably need to just save the message to a file, pop into the shell, and verify manually... which I realize isn't what you're looking for! I'll poke around my mutt config when I get to a real computer, seems maybe you could play with the pgp_verify_command (setting is something like that..), although mutt+gpg always a little fragile IME (although def works).... -- John
participants (5)
-
Georgi Guninski -
John Newman -
Mirimir -
Rayzer -
Zenaan Harkness