Well, I now have a public key, so if anyone needs to send me a secret message, go wild. My fingerprint is 498AFC97385158ACD775C58C1C2991BD5131844A and it's on http://keys.openpgp.org
I assume if you use openpgp the software, you can retrieve it that way too, but I'm using GPG and I could not for the life of me get it to behave. No idea what I'm doing wrong, I followed their instructions and set it to use their server in the .conf file. It says there's a bug retrieving keys without verified e-mail addresses but I *did* verify my e-mail address. And my bug doesn't look like their example. It just gives me a bunch of nonsense
Okay, this is apparently the expected outcome. <<Unless you have taken explicit steps to build a trust path to the Riseup Collective key, you will see a warning message similar to [the one I got]. However, you still should see the “Good signature”. >>
I dunno what "build a trust path" means. Shouldn't they want everyone to be able to trust their public statements equally? 😕 but I guess everything's working
I wish more tutorials had a step where it's like "and now here's an example where you can use *our* public key to see how people will use *your* key". Just so I'm confident I did everything right
@matt "building a trust path" means using the archaic system it provides for verifying that a key belongs to the person it claims to belong to. It works by creating signatures that attest that, i.e. Person A says Person B is who they claim to be, and Person B says Person C is who they claim to be, then you manually verify the identity of Person A which gets you trusted keys for B & C
it's a neat idea in theory but really convoluted in practice
@elomatreb That makes more sense for end-to-end encryption, because it's like a mutual trust thing. Both parties have to know they can trust each other. But for a public clear text statement that's cryptographically signed, how would that even work? They signed the statement before I had a key. Wouldn't they want to make sure everyone, including people in the future, would be confident the signature is authentic? No one would ever sign software this way. Or would they? Is there a reason to?
@matt it doesn't have to be mutual, they don't need to trust you to sign a public message. If you wanted, you could go talk to someone you know is a trustworthy part of the organization, get them to confirm this is their key, and then you would locally trust the key.
But unless you're actually going to talk to them, this doesn't add any security and it just annoys people because GPG is ancient software
@elomatreb it shouldn't annoy anyone because no one's being forced to use GPG to verify it. The message is still legible, If someone wants to treat it with the same amount of skepticism either way, that's their prerogative.
But say their website got taken down and they spread around a link to a pastebin with a signed statement explaining what happened. That offers at least some degree of confidence that the pastebin message is from the owner of the website, right? More than an unsigned statement would provide.
If it's not signed, it could be any rando impersonating them. If it's signed, I at least know that the rando would've needed to compromise their key as well as impersonate then, which is a lot harder. Shouldn't "someone would have to do this very difficult thing" inspire more confidence than "this could be one of millions of random trolls"?
I dunno, the idea that cryptographic identity provides zero reassurance unless you actually know the person feels like FUD. It's so nihilistic
@matt > If it's not signed, it could be any rando impersonating them
if it's signed by a key you can't authenticate, it could just as easily be any rando who can generate a key and puts "Trustworthy Organization" into the name field
@elomatreb it's authenticated by the fact that it was signed with the same key they've been using on their website for years! You can go to the wayback machine and verify that. Should I believe archive.org was compromised too?