Questions about OpenPGP best practices

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Feb 26 07:51:36 CET 2013


On 02/25/2013 02:54 PM, Peter Loshin wrote:
> 1. "Don't use pgp.mit.edu". Which keyserver *should* be used? I assume
> that a pool is better than a particular server; is there one
> particular pool that is preferred? What about
> http://pool.sks-keyservers.net/?

You should use hkp:// instead of http://.  Using http:// implies a
simple web request (e.g. , while hkp:// implies the structured key
lookups keyservers are known to use.

and you may want to use ha.pool.sks-keyservers.net (this is a
high-availability pool -- only keyservers that operate behind HTTP
reverse proxies are included.  this mode of operation is considered a
best-practice for sks keyserver operators).

> 2. On keeping an encrypted backup of my secret key material, what
> method is recommended for doing that? (Presumably something like "gpg
> --export-secret-keys | gpg --output secretkeymatter.gpg --symmetric"?)

i agree with grant olson that there is no need to double-encrypt.  you
may also be interested in using paperkey to generate a minimized chunk
of data for offline backup:

  http://www.jabberwocky.com/software/paperkey/

> 3. On using a keyserver with HKPS support: when I attempt to connect
> (via Chrome) to https://sks-keyservers.net/, I get an error headlined
> "The site's security certificate is not trusted!", stating " the
> server presented a certificate issued by an entity that is not trusted
> by your computer's operating system."

yes, this host is certified by its operator (Kristian Fiskerstrand) via
the OpenPGP web of trust.  one way to verify it is with the monkeysphere
validation agent (msva-perl, in debian) and the monkeysphere firefox plugin.

> 4. When I try to use hkps://sks-keyservers.net with GnuPG at the
> command line, I get these messages:

sks-keyservers.net is not a keyserver itself -- it is the site that
describes the various pools.

hth,

	--dkg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130225/7efa1969/attachment.pgp>


More information about the Gnupg-users mailing list