OpenPGP e-mail signing/encryption question

Terrence Enger tenger-ew0EfhANLmVEfu+5ix1nRw at public.gmane.org
Wed Sep 3 20:09:23 UTC 2003


At 15:29 2003-09-03 -0400, Anton Markov <anton-F0u+EriZ6ihBDgjK7y7TUQ at public.gmane.org> wrote:
>Hello everyone,

Hello, Anton.

>
>A couple of nights ago I decided to look into how to sign/encrypt 
>e-mails.  I figured out the Enigmail stuff, and got it installed and 
>working fine with Mozilla Thunderbird (a great e-mail reader by the 
>way).  I just have two questions:

It's a while since I played with PGP, and even then I didn't
do very much with it.  OTOH, I still remember reading Martin
Gardiner's article about public key encryption in Scientific
American (1971 or so; can anyone here pin it down any
closer?), and I have a hard-copy reprint from MIT of the
famous paper by Rivest, Adelmann (spelling?), and a third
author whose name I forget.  I mention this just to support
the notion that I have *earned* my gray hairs.  So, I'll
take the plunge and attempt some comments.

>
>Should I use the same key for encrypting and signing messages, or am I 
>suppose to generate different ones for each purpose?  From what I 
>understand (this is my first time looking into this issue) I give out my 
>public key in order to receive encrypted messages.  However, I have to 
>give out my private key in order to sign messages or something. This 

Nope.  You sign messages with your private key.  The
recipient can use your public key to verify your signature.
Thus, it is possible to use the same key pair for both
purposes.

That being said, you may want to have more than one key
pair.  This is just to avoid puting all your eggs in one
basket.  (Or all your bits in one bucket <grin/>) Remember
that the security of the encryption algorithm gives you no
protection against *theft* of your private key.

>doesn't make sense to me (why give out both keys), so either I am wrong, 
>or I don't know something.  Any clarification would be appreciated.

I remember reading a study that a shocking percentage new
users of PGP in an experimental environment failed to get
any privacy out of it.  I hope this helps you a little bit.

Terry.
Available for contract programming.

>
>Also, which key server should I use to share my key? Should I upload it 
>to several, or are they all synchronized like DNS servers?  Lastly, is 
>it possible to change the key once it is sent (or at least the comment)?
>
>
>I know this is a little off the Linux topic, but any help would be 
>appreciated.
>
>P.S. PGP is so much easier to set up in Linux vs. Windows!
>
>Thanks in advance,
>
>
>Anton
>


--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list