tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/27310-short-idGPGTools: Discussion 2014-12-03T19:44:53Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/345943442014-09-16T14:24:41Z2014-09-16T14:24:42ZHow do I share my public key? Should I include the key Short ID in my email-signature?<div><p>Just to add: I followed the instructions in this discussion
<a href=
"http://support.gpgtools.org/discussions/problems/10924-really-basic-question">
http://support.gpgtools.org/discussions/problems/10924-really-basic...</a><br>
thinking I would have to attach a text file with the ascii exported
file to my emails. I exported it, but when I open it to have a look
it takes me back to GPG keychain access with a notice about
changed/unchanged keys? Thank you for your help!</p></div>logansetag:gpgtools.tenderapp.com,2011-11-04:Comment/345943442014-09-16T15:12:34Z2014-09-16T15:12:34ZHow do I share my public key? Should I include the key Short ID in my email-signature?<div><p>If you double click on .asc files OS X will open it with the
default application, in this case GPG Keychain Access. You can
right click and choose Open with TextEdit to inspect the contents
of the file.</p></div>leveebreakstag:gpgtools.tenderapp.com,2011-11-04:Comment/345943442014-09-16T15:18:42Z2014-09-16T15:18:43ZHow do I share my public key? Should I include the key Short ID in my email-signature?<div><p>Thank you! And once I have it should I attach it to emails as a
text file ? Do I need to do this?</p></div>logansetag:gpgtools.tenderapp.com,2011-11-04:Comment/345943442014-09-16T15:34:47Z2014-09-16T15:34:47ZHow do I share my public key? Should I include the key Short ID in my email-signature?<div><p>If you have uploaded the key to the keyservers, then you don't
need to send them the key as an attachment. They can simply search
for your key on the keyservers and download it from there. However,
I haven't used other PGP applications and perhaps they offer some
automatic way of importing attached keys.</p>
<p>Regardless of key transfer method, the recipient need to verify
the key's fingerprint somehow. For example, in person if it's
possible.</p></div>leveebreakstag:gpgtools.tenderapp.com,2011-11-04:Comment/345943442014-09-16T15:42:23Z2014-09-16T15:42:24ZHow do I share my public key? Should I include the key Short ID in my email-signature?<div><p>But how do they verify it that if they can't do it in person?
Doesn't GPG tools do that? (thanks for your help!) I just need to
test this with someone who uses PGP who I can send an email to
.</p></div>logansetag:gpgtools.tenderapp.com,2011-11-04:Comment/345943442014-09-16T15:56:40Z2014-09-16T15:57:06ZHow do I share my public key? Should I include the key Short ID in my email-signature?<div><p>No, GPGTools (or other PGP applications) can't know if a certain
key belongs to a certain owner. For example, anyone can make a key
with the name Barack Obama with the email obama at whitehouse dot
gov and upload it to the keyservers. But that doesn't mean the key
actually belongs to the American president.</p>
<p>You can read more about trust and validity here: <a href=
"http://support.gpgtools.org/kb/how-to/introduction-to-cryptography#p17">
http://support.gpgtools.org/kb/how-to/introduction-to-cryptography#p17</a></p></div>leveebreakstag:gpgtools.tenderapp.com,2011-11-04:Comment/345943442014-09-16T17:05:54Z2014-09-16T17:06:02ZHow do I share my public key? Should I include the key Short ID in my email-signature?<div><p>so how do they verify the key's fingerprint? (thank you!)</p></div>logansetag:gpgtools.tenderapp.com,2011-11-04:Comment/345943442014-09-17T07:34:04Z2014-09-17T07:34:04ZHow do I share my public key? Should I include the key Short ID in my email-signature?<div><p>You have imported someone's key. The key's fingerprint is
displayed in GPG Keychain Access. To verify the fingerprint, you
ask the one you believe owns the key what the fingerprint is. This
must be done in a channel you believe is secure (but not
necessarily secret). You should not consider email secure in this
context.</p>
<p>Verifying the fingerprint is vital. If it is not done, then you
can't really trust the key and then there is no point in using PGP
in the first place.</p>
<p>In addition to the link I provided earlier, you can read this,
especially the parts about importing and verifying keys:</p>
<p><a href=
"https://www.gnupg.org/gph/en/manual.html">https://www.gnupg.org/gph/en/manual.html</a></p>
<p>Quote: "A key's fingerprint is verified with the key's owner.
This may be done in person or over the phone or through any other
means as long as you can guarantee that you are communicating with
the key's true owner. If the fingerprint you get is the same as the
fingerprint the key's owner gets, then you can be sure that you
have a correct copy of the key."</p></div>leveebreakstag:gpgtools.tenderapp.com,2011-11-04:Comment/345943442014-09-18T20:14:01Z2014-09-18T20:14:01ZHow do I share my public key? Should I include the key Short ID in my email-signature?<div><p>Excellent replies by leveebreaks! I have nothing to add. Key
management is the biggest culprit currently and we have ideas how
to improve this, but that will need time.</p>
<p>I can only second investing the time to read what was linked
because that will help understanding how OpenPGP works and what the
mechanisms and thought processes behind key verification are.</p>
<p>It's not easy - but it works. I've yet to see another system
which is easier and provides the same level of security. So why
there lately has been quite some criticism about OpenPGP as long as
we do not have better solutions, we should use it.</p>
<p>Also once you get into it, you do get accommodated and things
become simple. Just don't let the steep learning curve frighten you
away :)</p>
<p>And if you have more questions, feel free to ask.</p></div>Steve