Shawn Rutledge wrote: > > gpgkeys is a program that refuses to run without X. I'm guessing > gpgkeys_http would be a simple command-line client which returns > the result of a query to an http keyserver, but it doesn't seem to > exist on Debian. I can't speak to key management handlers... It has been at least 9 months since I had to add a key. Check back with me in 2 months when one of my closet friend's key expires. :-) > So I guess at least it's connecting to the MIT keyserver (right?) but not > finding Derek's key. And this search > > http://wwwkeys.pgp.net:11371/pks/lookup?op=vindex&search=derek%40gnue.org I can't make Derek send his key to the servers. > also finds nothing, whereas for Randy: > http://wwwkeys.pgp.net:11371/pks/lookup?op=vindex&search=Kaelber&fingerprint=on > > quite a few, but none for this latest ASU address. So I guess you have > to get a new key for each email address that you use? Actually, no, it's up to you. You can add multiple addresses to the same key, or make separate ones if you wish. My personal preference is to make a separate key for various "roles" (e.g. A work key, a personal key, a 'webmaster' key, etc.) where communication is unlikely to overlap, rather than email addresses, but that's just me. You can stick a ton of addresses on a single key if that's your pleasure. As for my key, I don't use gpg at work (for a variety of technical and preferential reasons that are tedious to me, so they'd bore you stiff) , but if I did, you'd see it there. However, this key is my current one: 38615805 Randy Kaelber (Home email key) . If you want to send mail to me there, if you send me a signed message, I would add you to my key automatically. I'd mark it as untrusted and certainly wouldn't sign it until I met you face to face and verified your bona fides adequately. Just because a public key is untrusted doesn't mean it's worthless. I can still encrypt mail to you and I'm reasonably confident that only the person(people) with access to its secret key can decrypt it. It can also check that the file was delivered as signed, even though I don't know who actually signed it. I consider my act of signing someone's public key similar to swearing an affidavit saying "I am highly confident (though not necessarily certain) that the person using this key is the person she says she is." It's a system where everyone is a notary public, and it's up to you to determine the trustworthiness of the notary publics. This process is *no* different (though the technical details certainly vary) from the act of certificate authorities for secure web servers, except that we rely on a more centralized form of notary publics (Thawte, Verisign, et al) for that in general, though you personally can add new certificate authorities to your web browser. -- Randy Kaelber Randy.Kaelber@asu.edu Software Engineer Mars Space Flight Facility, Department of Geological Sciences Arizona State University, Tempe, Arizona, USA "Anarchy is the sure consequence of tyranny; for no power that is not limited by laws can ever be protected by them." - Milton