Is it ok to attach the public key to the email?
Hi folks,
As per the subject: Is it ok to attach the public key to the email? Or is there some security/privacy issues to consider?
I'm asking because it may be easier to just hand over the public key to someone than have him fetch it from a public server.
Cheers!
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Steve on 16 Mar, 2022 06:14 PM
Hi Andrei,
welcome to the GPGTools support platform. Sorry to hear you are having problems using GPG Suite.
There is one mechanism in GPG Suite that really helps simplifying key exchange: In
System Preferences > GPG Suite > Settings > Key Server
there is the settingAutomatically download public keys
. When receiving a signed email and not having the public key of the author, with this setting enabled MacGPG will search for the public key matching the signature. If the key owner has uploaded and verified their public key, the key will be downloaded and the signature verified. Sending an encrypt reply is then possible - a restart of Mail app may be needed so that it becomes aware of the new public key.This is why we recommend uploading your own public key to the key server and verifying the email address(es) in the key.
This however may not apply to other OpenPGP implementations, but maybe a feature request can raise developers awareness for this.
Generally it may be a good idea to add the fingerprint to your email signature. Not sure if it is necessary though to attach your own public key to all your emails. However there is no security or privacy concern in doing so. Although some mail clients or servers may increase their spam score for the attachment.
Hope this helps and explains the situation a bit.
All the best,
Steve
2 Posted by Andrei D on 17 Mar, 2022 09:27 AM
Hi Steve,
As you say, it's easy peasy when writing to another Mac user that uses GPG Suite and has the automatically download public keys option enabled. However, also as you correctly identify, it becomes a worse of a hassle when other PGP implementations which most probably use (or don't use at all) other key servers. As far as I am aware there are many key servers available and I'm not sure the keys are synced between each one.
I'm interested in the fingerprint though. How would that help with anything?
Support Staff 3 Posted by Steve on 17 Mar, 2022 03:52 PM
So we would have to look at the specific implementation. https://keys.openpgp.org/ is probably the biggest key server currently and no it does not sync (yet) with other key servers.
The old key server cluster (sks key servers) is no longer in business. There is still hockeypuck however. But you could ask the other implementation to switch to https://keys.openpgp.org/ as well.
The fingerprint would be used to lookup the public key on the key server. e.g. https://gpgtools.org/ bottom left shows fingerprint
85E3 8F69 046B 44C1 EC9F B07B 76D7 8F05 00D0 26C4
.I can open GPG Keychain press cmd + F and paste the fingerprint to search for the public key.
Adding the fingerprint to various locations associated with your person, like your fediverse profile page, email signature, website, ... goes to show consistency. If someone then claims to have a different fingerprint with your email but the other locations still show the old fingerprint that could be a sign of compromise.
4 Posted by Andrei D on 17 Mar, 2022 04:09 PM
So Steve, in that case wouldn't it be better to just avoid adding the .asc file as an attachment to the email so that to avoid some spamassasin rules or whatever filters servers use, and just use the public key block in the signature directly so it gets attached default on any outgoing mail:
Support Staff 5 Posted by Steve on 17 Mar, 2022 05:47 PM
You can do that. I makes all your emails very long and may cause confusion with the recipients, which is why personally I prefer using the more human readable key fingerpring.
Steve closed this discussion on 14 Apr, 2022 04:22 PM.