[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Social Research on TOR in Turkey during March2014

On Mon, 13 Oct 2014 23:43:47 +0300
GÃkÅin Akdeniz <goksin@xxxxxxxxxxxxxxxxx> wrote:

> Run: gpg --search-key "Paolo Cardullo" and import the key.
> Please use OpenPGP and GnuPG properly

He is using OpenPGP and GnuPG properly, but I believe you miss some
important fact about it. The original author did not give the key
details nor he did put his key id (before you added to your keyring).
Somebody reading this list could have created a key pair, and uploaded
to keyserver. Now you might have malicious key, which you will use to
encrypt your emails, and somebody having an access to that e-mail
address (via ISP or AOL) could read your email.

Do not blindly add keys just by searching the name. Wait for the
original author to at least verify using e-mail, or his web address. Of
course, there would be no guarantee for e-mail to be changed during the
transport. But it is a little unlikely to both change e-mail and key on
the web server. It depends on your threat model. I hope I made my point.

Grace H.

D8C9 EF71 ADC3 0533 29DE  3A80 1152 D1CB 8D9C 47FD

Attachment: signature.asc
Description: PGP signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to