Published on: 2013-05-14T20:12:32+00:00
In a discussion on May 14, 2013, it was shared that encryption keys can be stored as a TXT entry on one's own domain by using the command "dig +short harald._pka.schil.ly. TXT". This method can also be used automatically through the command "$ gpg ... --auto-key-locate pka -r email at address.domain". However, concerns were raised about the security of DNS, suggesting that this may not be the most secure way to store encryption keys.In an email conversation from 2013, it was asked if PGP key servers could suffer from a 51% attack similar to the Bitcoin network. Unlike Bitcoin, PGP keyservers are not reliant on mining power, so a 51% attack would not be possible in that sense. However, PGP keyservers are vulnerable to spamming, which can cause clients to become unresponsive or crash. Storing PGP keys as a TXT entry on one's own domain and using them automatically can help mitigate this risk and avoid relying on PGP keyservers.On May 14, 2013, it was mentioned that using a hardware smartcard to store PGP keys is a security measure taken seriously. Keeping the master signing key separate from day-to-day signing subkeys is also practiced. Regularly PGP signing emails allows anyone to verify if they have the correct key by checking the signatures in the mailing list archives. However, it was acknowledged that a dedicated attacker could potentially sign something without the owner's knowledge.In terms of security measures, using PGP fingerprints in talks and presentations was discussed as a way to ensure validity. While there is a possibility of fraud, the wide audiences and opportunities for detection make it reasonable to use PGP fingerprints in slides. The importance of the web-of-trust in PGP verification was emphasized, stating that multiple verifications contribute to ensuring validity. Better code signing practices are also necessary, but it is important to ensure the keys signing the code are valid. Using a hardware smartcard to store PGP keys and separating the master signing key from day-to-day signing subkeys were mentioned as personal security measures.A writer on bitcointalk.org suggested adding PGP fingerprints to presentation slides to improve security during talks. Although there is a risk of fraud, the benefits of a wide audience and greater opportunities for detection outweigh this concern. The importance of the web-of-trust in PGP verification was highlighted, and the use of SSL and certificate authorities alongside PGP WoT to enhance code signing practices was advocated. Personal security measures included using a hardware smartcard to store PGP keys and keeping the master signing key separate from day-to-day signing subkeys.
Updated on: 2023-08-01T04:53:13.583073+00:00