Sharing Keys: Key Servers vs. Website Uploads
Can I add my keys directly to my website or upload them to any keyservers? Which method is the best practice and safer? I'm concerned that posting on keyservers might expose my email address to everyone. Is it possible to add duplicate emails when generating a key with in Gpg?
|
You can place keys on a website or in ~/.pgpkey if you use fingerd. The point of a key is so people know who you are and can verify this - hiding your email in this context doesn't make sense. You can have multiple email addresses on one key. Good luck finding usable keyservers. Since key poisoning became a thing, there are fewer and fewer. I get the feeling that the ones that are up, like MIT's, don't have up-to-date keys for many people.
My suggestion is the keyservers (since there's not many other options), and put your fingerprint at the bottom of your website and/or in your signature. If someone whacks your website, they can replace that key on it as well. Remember, anyone can make a key and claim to be you, therefore the fingerprint is important. |
Okay thanks.Is it necessary to provide valid email addresses when generating keys, or is it acceptable to use dummy emails? I don't use multiple email addresses frequently, so I'm curious about this requirement.
|
You can put fake emails, but that kind of defeats the purpose of people being able to verify/find/contact you.
|
Thanks man. I have a clarity now. So differentiate multiple key i can do by fingerprint. Am i right?
|
Personally, I do both. I post a direct link to a public key file, and a reference to a public key server. Some email client programs, for example, are smart enough to automatically look for a key on a server.
|
Quote:
|
Quote:
Both methods are supported by GnuPG’s --auto-key-locate, and WKD at least is supported by several email clients. |
Quote:
|
All times are GMT -5. The time now is 03:33 PM. |