this is nonsense and annoying. i might have to have a word with the
sender because they shouldn't be doing this, but at the same time,
thunderbird shouldn't tell me that it's a per-se invalid signature just
because the sender is different to the key's sender.

Am 24.10.23 um 09:26 schrieb The Bjornsdottirs:
> this is nonsense and annoying. i might have to have a word with the
> sender because they shouldn't be doing this, but at the same time,
> thunderbird shouldn't tell me that it's a per-se invalid signature just
> because the sender is different to the key's sender.

Are you sure you fully understand the concept of OpenPGP and Certificates?

--
Gutta cavat lapidem (Ovid)

The Bjornsdottirs <zerda@umbrellix.net> wrote:

> this is nonsense and annoying. i might have to have a word with the
> sender because they shouldn't be doing this, but at the same time,
> thunderbird shouldn't tell me that it's a per-se invalid signature just
> because the sender is different to the key's sender.

https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
"To use OpenPGP functionality in Thunderbird, you need to set a
so-called personal key pair for your email address."
^^^^^^^^^^^^^
"After importing or creating it, while still in account settings, select
the key you want to actively use with your email account."
vvvvvvvvvvvvv ^^^^^^^^^^^^^
"To enable OpenPGP for an email account, it is necessary to explicitly
specify which personal key to use."

You want to allow anyone to steal or fake someone else's key(s) to forge
they are some other sender? If they can lie, you don't know to whom you
are communicating?

PGP creates a digital signature for private and public keys to prove
that a sender is the rightful owner of the message
(https://www.fortinet.com/resources/cyberglossary/pgp-encryption).

The public key is tied to a particular person’s identity, ...
(https://www.varonis.com/blog/pgp-encryption).

If you want anyone (i.e., sender unknown) to encrypt a message to you,
don't use x.509 (S/MIME) or PGP. Encrypt a file, like zip with
password, attach to an e-mail, and convey the password using a different
communications venue (call, postal mail, chat, flag signals, whatever).

Since there are more than 1 PGP key server, wonder which one Tbird uses.
The other party to the e-mail which could easily be using a different
e-mail client has to use the same PGP key server as the sender.

https://keybase.io
https://keys.openpgp.org
https://keyserver.ubuntu.com
http://keys.gnupg.net
https://pgp.mit.edu
https://keyoxide.org

There are more. Do they all synchronize with each other? If so, how
long after adding a key to 1 server will it propagate to all others? Is
synchronizing mandatory for a key server (i.e., no private servers)?

On 2023-10-24 12:56, VanguardLH wrote:
> The Bjornsdottirs <zerda@umbrellix.net> wrote:

....

> Since there are more than 1 PGP key server, wonder which one Tbird uses.
> The other party to the e-mail which could easily be using a different
> e-mail client has to use the same PGP key server as the sender.
>
> https://keybase.io
> https://keys.openpgp.org
> https://keyserver.ubuntu.com
> http://keys.gnupg.net
> https://pgp.mit.edu
> https://keyoxide.org
>
> There are more. Do they all synchronize with each other? If so, how
> long after adding a key to 1 server will it propagate to all others? Is
> synchronizing mandatory for a key server (i.e., no private servers)?

They _did_ synchronize. Sync is broken since several years. Several
servers don't work anymore. There was a flooding attack some years ago,
and since them, they haven't recovered.

--
Cheers,
Carlos E.R.

VanguardLH wrote:

> The Bjornsdottirs <zerda@umbrellix.net> wrote:
>
>> this is nonsense and annoying. i might have to have a word with the
>> sender because they shouldn't be doing this, but at the same time,
>> thunderbird shouldn't tell me that it's a per-se invalid signature just
>> because the sender is different to the key's sender.
>
> https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
> "To use OpenPGP functionality in Thunderbird, you need to set a
> so-called personal key pair for your email address."
> ^^^^^^^^^^^^^
> "After importing or creating it, while still in account settings, select
> the key you want to actively use with your email account."
> vvvvvvvvvvvvv ^^^^^^^^^^^^^
> "To enable OpenPGP for an email account, it is necessary to explicitly
> specify which personal key to use."
>
> You want to allow anyone to steal or fake someone else's key(s) to forge
> they are some other sender? If they can lie, you don't know to whom you
> are communicating?
>
> PGP creates a digital signature for private and public keys to prove
> that a sender is the rightful owner of the message
> (https://www.fortinet.com/resources/cyberglossary/pgp-encryption).
>
> The public key is tied to a particular person’s identity, ...
> (https://www.varonis.com/blog/pgp-encryption).
>
> If you want anyone (i.e., sender unknown) to encrypt a message to you,
> don't use x.509 (S/MIME) or PGP. Encrypt a file, like zip with
> password, attach to an e-mail, and convey the password using a different
> communications venue (call, postal mail, chat, flag signals, whatever).
>
>
vks://keys.openpgp.org

--
Bob
Tetbury, Gloucestershire, England

Celebrity - a person who works hard to become well known, and then wears
dark glasses to avoid being recognised.

Bob Henson <bob.henson@outlook.com> wrote:

> VanguardLH wrote:
>
>> The Bjornsdottirs <zerda@umbrellix.net> wrote:
>>
>>> this is nonsense and annoying. i might have to have a word with the
>>> sender because they shouldn't be doing this, but at the same time,
>>> thunderbird shouldn't tell me that it's a per-se invalid signature just
>>> because the sender is different to the key's sender.
>>
>> https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
>> "To use OpenPGP functionality in Thunderbird, you need to set a
>> so-called personal key pair for your email address."
>> ^^^^^^^^^^^^^
>> "After importing or creating it, while still in account settings, select
>> the key you want to actively use with your email account."
>> vvvvvvvvvvvvv ^^^^^^^^^^^^^
>> "To enable OpenPGP for an email account, it is necessary to explicitly
>> specify which personal key to use."
>>
>> You want to allow anyone to steal or fake someone else's key(s) to forge
>> they are some other sender? If they can lie, you don't know to whom you
>> are communicating?
>>
>> PGP creates a digital signature for private and public keys to prove
>> that a sender is the rightful owner of the message
>> (https://www.fortinet.com/resources/cyberglossary/pgp-encryption).
>>
>> The public key is tied to a particular person’s identity, ...
>> (https://www.varonis.com/blog/pgp-encryption).
>>
>> If you want anyone (i.e., sender unknown) to encrypt a message to you,
>> don't use x.509 (S/MIME) or PGP. Encrypt a file, like zip with
>> password, attach to an e-mail, and convey the password using a different
>> communications venue (call, postal mail, chat, flag signals, whatever).
>>
>>
> vks://keys.openpgp.org

That was one that I already mentioned, but the part you snipped in your
reply. Why that one over the others? As Carlos mentioned, and which I
read in passing, looks like the PGP servers no longer sync with each
others. So, it is important which PGP key server you use, and which PGP
key server someone else uses to find your public key.

VanguardLH wrote:

> Path: uni-berlin.de!individual.net!not-for-mail
> From: VanguardLH <V@nguard.LH>
> Newsgroups: alt.comp.software.thunderbird
> Subject: Re: vent: so the built in PGP is calling a key I have *not* decided to reject invalid, simply because it's not for the same address as the sender of the message
> Date: Tue, 24 Oct 2023 17:59:36 -0500
> Organization: Usenet Elder
> Lines: 45
> Sender: V@nguard.LH
> Message-ID: <gp9rqfgg8p6j.dlg@v.nguard.lh>
> References: <uh7rip$3nvr4$2@dont-email.me> <1xrt5y6mtople$.dlg@v.nguard.lh> <l5htjtl59qv4.2cfjsix0cncg$.dlg@40tude.net>
> Mime-Version: 1.0
> Content-Type: text/plain; charset="iso-8859-7"
> Content-Transfer-Encoding: 8bit
> X-Trace: individual.net W6KnHo6wPVNyBEWHSZzwyQOZhSoYDaBzcy/rTWJSpoTaHuzESg
> Keywords: VanguardLH,VLH
> Cancel-Lock: sha1:uPMcWYhDYX7V9q8lkopFU+/yc0k= sha256:CP1O8Lw/VzpNIzWSF+Ve82o5QwDYvlpT314rC4gQ9kg=
> User-Agent: 40tude_Dialog/2.0.15.41
> Xref: uni-berlin.de alt.comp.software.thunderbird:10774
>
> Bob Henson <bob.henson@outlook.com> wrote:
>
>> VanguardLH wrote:
>>
>>> The Bjornsdottirs <zerda@umbrellix.net> wrote:
>>>
>>>> this is nonsense and annoying. i might have to have a word with the
>>>> sender because they shouldn't be doing this, but at the same time,
>>>> thunderbird shouldn't tell me that it's a per-se invalid signature just
>>>> because the sender is different to the key's sender.
>>>
>>> https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
>>> "To use OpenPGP functionality in Thunderbird, you need to set a
>>> so-called personal key pair for your email address."
>>> ^^^^^^^^^^^^^
>>> "After importing or creating it, while still in account settings, select
>>> the key you want to actively use with your email account."
>>> vvvvvvvvvvvvv ^^^^^^^^^^^^^
>>> "To enable OpenPGP for an email account, it is necessary to explicitly
>>> specify which personal key to use."
>>>
>>> You want to allow anyone to steal or fake someone else's key(s) to forge
>>> they are some other sender? If they can lie, you don't know to whom you
>>> are communicating?
>>>
>>> PGP creates a digital signature for private and public keys to prove
>>> that a sender is the rightful owner of the message
>>> (https://www.fortinet.com/resources/cyberglossary/pgp-encryption).
>>>
>>> The public key is tied to a particular person¢s identity, ...
>>> (https://www.varonis.com/blog/pgp-encryption).
>>>
>>> If you want anyone (i.e., sender unknown) to encrypt a message to you,
>>> don't use x.509 (S/MIME) or PGP. Encrypt a file, like zip with
>>> password, attach to an e-mail, and convey the password using a different
>>> communications venue (call, postal mail, chat, flag signals, whatever).
>>>
>>>
>> vks://keys.openpgp.org
>
> That was one that I already mentioned, but the part you snipped in your
> reply. Why that one over the others?

Because that's the one built into Thunderbird and hence the one it will use
if you publish your key or, presumably, search for other people's keys. I
can't see any facility to easily use others. .

> As Carlos mentioned, and which I
> read in passing, looks like the PGP servers no longer sync with each
> others. So, it is important which PGP key server you use, and which PGP
> key server someone else uses to find your public key.

I haven't used GnuPG/OpenPGP much since the days of Enigmail so I'm not up
to date with the server situation. I was able to import one of Werner
Koch's keys from that server a few moments ago (using Thunderbird ) so
either the boss man uses Thunderbird or the server connects to others.

--
Bob
Tetbury, Gloucestershire, England

Hypochondria - the only illness a hypochondriac thinks he or she doesn't
have.

Am 25.10.23 um 00:59 schrieb VanguardLH:
> Bob Henson <bob.henson@outlook.com> wrote:
>> vks://keys.openpgp.org
>
> That was one that I already mentioned, but the part you snipped in your
> reply. Why that one over the others? As Carlos mentioned, and which I
> read in passing, looks like the PGP servers no longer sync with each
> others. So, it is important which PGP key server you use, and which PGP
> key server someone else uses to find your public key.

Smart people always send the public key along with even unencrypted e-mails.

A good advice for a key-server is to use this key-server:

https://keys.openpgp.org/

--
Gutta cavat lapidem (Ovid)

Am 25.10.23 um 10:41 schrieb Bob Henson:
> VanguardLH wrote:
>
>> Path: uni-berlin.de!individual.net!not-for-mail
>> From: VanguardLH <V@nguard.LH>
>> Newsgroups: alt.comp.software.thunderbird
>> Subject: Re: vent: so the built in PGP is calling a key I have *not* decided to reject invalid, simply because it's not for the same address as the sender of the message
>> Date: Tue, 24 Oct 2023 17:59:36 -0500
>> Organization: Usenet Elder
>> Lines: 45
>> Sender: V@nguard.LH
>> Message-ID: <gp9rqfgg8p6j.dlg@v.nguard.lh>
>> References: <uh7rip$3nvr4$2@dont-email.me> <1xrt5y6mtople$.dlg@v.nguard.lh> <l5htjtl59qv4.2cfjsix0cncg$.dlg@40tude.net>
>> Mime-Version: 1.0
>> Content-Type: text/plain; charset="iso-8859-7"
>> Content-Transfer-Encoding: 8bit
>> X-Trace: individual.net W6KnHo6wPVNyBEWHSZzwyQOZhSoYDaBzcy/rTWJSpoTaHuzESg
>> Keywords: VanguardLH,VLH
>> Cancel-Lock: sha1:uPMcWYhDYX7V9q8lkopFU+/yc0k= sha256:CP1O8Lw/VzpNIzWSF+Ve82o5QwDYvlpT314rC4gQ9kg=
>> User-Agent: 40tude_Dialog/2.0.15.41
>> Xref: uni-berlin.de alt.comp.software.thunderbird:10774
>>
>> Bob Henson <bob.henson@outlook.com> wrote:
>>
>>> VanguardLH wrote:
>>>
>>>> The Bjornsdottirs <zerda@umbrellix.net> wrote:
>>>>
>>>>> this is nonsense and annoying. i might have to have a word with the
>>>>> sender because they shouldn't be doing this, but at the same time,
>>>>> thunderbird shouldn't tell me that it's a per-se invalid signature just
>>>>> because the sender is different to the key's sender.
>>>>
>>>> https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
>>>> "To use OpenPGP functionality in Thunderbird, you need to set a
>>>> so-called personal key pair for your email address."
>>>> ^^^^^^^^^^^^^
>>>> "After importing or creating it, while still in account settings, select
>>>> the key you want to actively use with your email account."
>>>> vvvvvvvvvvvvv ^^^^^^^^^^^^^
>>>> "To enable OpenPGP for an email account, it is necessary to explicitly
>>>> specify which personal key to use."
>>>>
>>>> You want to allow anyone to steal or fake someone else's key(s) to forge
>>>> they are some other sender? If they can lie, you don't know to whom you
>>>> are communicating?
>>>>
>>>> PGP creates a digital signature for private and public keys to prove
>>>> that a sender is the rightful owner of the message
>>>> (https://www.fortinet.com/resources/cyberglossary/pgp-encryption).
>>>>
>>>> The public key is tied to a particular person¢s identity, ...
>>>> (https://www.varonis.com/blog/pgp-encryption).
>>>>
>>>> If you want anyone (i.e., sender unknown) to encrypt a message to you,
>>>> don't use x.509 (S/MIME) or PGP. Encrypt a file, like zip with
>>>> password, attach to an e-mail, and convey the password using a different
>>>> communications venue (call, postal mail, chat, flag signals, whatever).
>>>>
>>>>
>>> vks://keys.openpgp.org
>>
>> That was one that I already mentioned, but the part you snipped in your
>> reply. Why that one over the others?
>
> Because that's the one built into Thunderbird and hence the one it will use
> if you publish your key or, presumably, search for other people's keys. I
> can't see any facility to easily use others. .

Sorry?
This is it: https://keys.openpgp.org/

--
Gutta cavat lapidem (Ovid)

Jörg Lorenz wrote:

> Am 25.10.23 um 10:41 schrieb Bob Henson:
>> VanguardLH wrote:
>>
>>> Path: uni-berlin.de!individual.net!not-for-mail
>>> From: VanguardLH <V@nguard.LH>
>>> Newsgroups: alt.comp.software.thunderbird
>>> Subject: Re: vent: so the built in PGP is calling a key I have *not* decided to reject invalid, simply because it's not for the same address as the sender of the message
>>> Date: Tue, 24 Oct 2023 17:59:36 -0500
>>> Organization: Usenet Elder
>>> Lines: 45
>>> Sender: V@nguard.LH
>>> Message-ID: <gp9rqfgg8p6j.dlg@v.nguard.lh>
>>> References: <uh7rip$3nvr4$2@dont-email.me> <1xrt5y6mtople$.dlg@v.nguard.lh> <l5htjtl59qv4.2cfjsix0cncg$.dlg@40tude.net>
>>> Mime-Version: 1.0
>>> Content-Type: text/plain; charset="iso-8859-7"
>>> Content-Transfer-Encoding: 8bit
>>> X-Trace: individual.net W6KnHo6wPVNyBEWHSZzwyQOZhSoYDaBzcy/rTWJSpoTaHuzESg
>>> Keywords: VanguardLH,VLH
>>> Cancel-Lock: sha1:uPMcWYhDYX7V9q8lkopFU+/yc0k= sha256:CP1O8Lw/VzpNIzWSF+Ve82o5QwDYvlpT314rC4gQ9kg=
>>> User-Agent: 40tude_Dialog/2.0.15.41
>>> Xref: uni-berlin.de alt.comp.software.thunderbird:10774
>>>
>>> Bob Henson <bob.henson@outlook.com> wrote:
>>>
>>>> VanguardLH wrote:
>>>>
>>>>> The Bjornsdottirs <zerda@umbrellix.net> wrote:
>>>>>
>>>>>> this is nonsense and annoying. i might have to have a word with the
>>>>>> sender because they shouldn't be doing this, but at the same time,
>>>>>> thunderbird shouldn't tell me that it's a per-se invalid signature just
>>>>>> because the sender is different to the key's sender.
>>>>>
>>>>> https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
>>>>> "To use OpenPGP functionality in Thunderbird, you need to set a
>>>>> so-called personal key pair for your email address."
>>>>> ^^^^^^^^^^^^^
>>>>> "After importing or creating it, while still in account settings, select
>>>>> the key you want to actively use with your email account."
>>>>> vvvvvvvvvvvvv ^^^^^^^^^^^^^
>>>>> "To enable OpenPGP for an email account, it is necessary to explicitly
>>>>> specify which personal key to use."
>>>>>
>>>>> You want to allow anyone to steal or fake someone else's key(s) to forge
>>>>> they are some other sender? If they can lie, you don't know to whom you
>>>>> are communicating?
>>>>>
>>>>> PGP creates a digital signature for private and public keys to prove
>>>>> that a sender is the rightful owner of the message
>>>>> (https://www.fortinet.com/resources/cyberglossary/pgp-encryption).
>>>>>
>>>>> The public key is tied to a particular person¢s identity, ...
>>>>> (https://www.varonis.com/blog/pgp-encryption).
>>>>>
>>>>> If you want anyone (i.e., sender unknown) to encrypt a message to you,
>>>>> don't use x.509 (S/MIME) or PGP. Encrypt a file, like zip with
>>>>> password, attach to an e-mail, and convey the password using a different
>>>>> communications venue (call, postal mail, chat, flag signals, whatever).
>>>>>
>>>>>
>>>> vks://keys.openpgp.org
>>>
>>> That was one that I already mentioned, but the part you snipped in your
>>> reply. Why that one over the others?
>>
>> Because that's the one built into Thunderbird and hence the one it will use
>> if you publish your key or, presumably, search for other people's keys. I
>> can't see any facility to easily use others. .
>
> Sorry?
> This is it: https://keys.openpgp.org/

That makes sense, but when I use the Keyserver > Publish function in
Thunderbird mine shows a popup with a yellow exclamation mark and the line

Public key sent to "vks://keys.openpgp.org".

whether that is interpreted by Thunderbird as "https://" I know not. VKS
might be "Virtual Key System" - it's the only acronym I could find on line.
I could understand the much more complex Enigmail system, but I don't know
what Thunderbird's built in oversimplified system gets up to - it doesn't
tell us.

--
Bob
Tetbury, Gloucestershire, England

You don't stop laughing because you grow old, you grow old because you stop
laughing!!!

Bob Henson wrote:
[..snip..]
> That makes sense, but when I use the Keyserver > Publish function in
> Thunderbird mine shows a popup with a yellow exclamation mark and the line
>
> Public key sent to "vks://keys.openpgp.org".
>
> whether that is interpreted by Thunderbird as "https://" I know not. VKS
> might be "Virtual Key System" - it's the only acronym I could find on line.

Verifying Keyserver (VKS) Interface: https://keys.openpgp.org/about/api

Jörg Lorenz wrote:

> Am 25.10.23 um 10:41 schrieb Bob Henson:
>> VanguardLH wrote:
>>
>>> Path: uni-berlin.de!individual.net!not-for-mail
>>> From: VanguardLH <V@nguard.LH>
>>> Newsgroups: alt.comp.software.thunderbird
>>> Subject: Re: vent: so the built in PGP is calling a key I have *not* decided to reject invalid, simply because it's not for the same address as the sender of the message
>>> Date: Tue, 24 Oct 2023 17:59:36 -0500
>>> Organization: Usenet Elder
>>> Lines: 45
>>> Sender: V@nguard.LH
>>> Message-ID: <gp9rqfgg8p6j.dlg@v.nguard.lh>
>>> References: <uh7rip$3nvr4$2@dont-email.me> <1xrt5y6mtople$.dlg@v.nguard.lh> <l5htjtl59qv4.2cfjsix0cncg$.dlg@40tude.net>
>>> Mime-Version: 1.0
>>> Content-Type: text/plain; charset="iso-8859-7"
>>> Content-Transfer-Encoding: 8bit
>>> X-Trace: individual.net W6KnHo6wPVNyBEWHSZzwyQOZhSoYDaBzcy/rTWJSpoTaHuzESg
>>> Keywords: VanguardLH,VLH
>>> Cancel-Lock: sha1:uPMcWYhDYX7V9q8lkopFU+/yc0k= sha256:CP1O8Lw/VzpNIzWSF+Ve82o5QwDYvlpT314rC4gQ9kg=
>>> User-Agent: 40tude_Dialog/2.0.15.41
>>> Xref: uni-berlin.de alt.comp.software.thunderbird:10774
>>>
>>> Bob Henson <bob.henson@outlook.com> wrote:
>>>
>>>> VanguardLH wrote:
>>>>
>>>>> The Bjornsdottirs <zerda@umbrellix.net> wrote:
>>>>>
>>>>>> this is nonsense and annoying. i might have to have a word with the
>>>>>> sender because they shouldn't be doing this, but at the same time,
>>>>>> thunderbird shouldn't tell me that it's a per-se invalid signature just
>>>>>> because the sender is different to the key's sender.
>>>>>
>>>>> https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
>>>>> "To use OpenPGP functionality in Thunderbird, you need to set a
>>>>> so-called personal key pair for your email address."
>>>>> ^^^^^^^^^^^^^
>>>>> "After importing or creating it, while still in account settings, select
>>>>> the key you want to actively use with your email account."
>>>>> vvvvvvvvvvvvv ^^^^^^^^^^^^^
>>>>> "To enable OpenPGP for an email account, it is necessary to explicitly
>>>>> specify which personal key to use."
>>>>>
>>>>> You want to allow anyone to steal or fake someone else's key(s) to forge
>>>>> they are some other sender? If they can lie, you don't know to whom you
>>>>> are communicating?
>>>>>
>>>>> PGP creates a digital signature for private and public keys to prove
>>>>> that a sender is the rightful owner of the message
>>>>> (https://www.fortinet.com/resources/cyberglossary/pgp-encryption).
>>>>>
>>>>> The public key is tied to a particular person¢s identity, ...
>>>>> (https://www.varonis.com/blog/pgp-encryption).
>>>>>
>>>>> If you want anyone (i.e., sender unknown) to encrypt a message to you,
>>>>> don't use x.509 (S/MIME) or PGP. Encrypt a file, like zip with
>>>>> password, attach to an e-mail, and convey the password using a different
>>>>> communications venue (call, postal mail, chat, flag signals, whatever).
>>>>>
>>>>>
>>>> vks://keys.openpgp.org
>>>
>>> That was one that I already mentioned, but the part you snipped in your
>>> reply. Why that one over the others?
>>
>> Because that's the one built into Thunderbird and hence the one it will use
>> if you publish your key or, presumably, search for other people's keys. I
>> can't see any facility to easily use others. .
>
> Sorry?
> This is it: https://keys.openpgp.org/

Also - searching https://keys.openpgp.org/ for a key by email gives the
result line https://keys.openpgp.org/vks/v1/by-fingerprint/{keyfingerprint}

so I'm guessing that, as this also has the "vks" in it, that Thunderbird
inserts the https:// before it calls the server, but doesn't bother to show
us all the information (or the correct information - whichever)

--
Bob
Tetbury, Gloucestershire, England

Foreign Aid - The transfer of money from poor people in rich countries to
rich people in poor countries.

Frank Miller wrote:

> Bob Henson wrote:
> [..snip..]
>> That makes sense, but when I use the Keyserver > Publish function in
>> Thunderbird mine shows a popup with a yellow exclamation mark and the line
>>
>> Public key sent to "vks://keys.openpgp.org".
>>
>> whether that is interpreted by Thunderbird as "https://" I know not. VKS
>> might be "Virtual Key System" - it's the only acronym I could find on line.
>
> Verifying Keyserver (VKS) Interface: https://keys.openpgp.org/about/api

That makes more sense of it. One used to enter one's own list of keyservers
in full in Enigmail - a much better arrangement. As I never needed to know
the fine detail of the inner functions of the keyservers, I had not come
across the acronym. Thanks for the tip.

--
Bob
Tetbury, Gloucestershire, England

No, I haven't got a personality disorder - all three of us are just fine!

VanguardLH, 2023-10-24 12:56:

[...]
> Since there are more than 1 PGP key server, wonder which one Tbird uses.

The whole idea of key servers in they way they where originally
implemented is broken:

1) Servers happily accept *everything*, even submission of wrong keys
which an attacker publishes for some e-mail-address.

2) Keys can not be deleted - because there is no way to authenticate as
a legitimate user since the server does not require any authentication
or authorization.

So the best way is to get the key from the recipient itself. Of course
if you just ask via unecrypted e-mail you still don't know if you really
got the correct key. You *may* rely on signatures in the key by other
people you know (the "web of trust"), but this requires to know and
trust a number of other people who also use PGP *and* that *they* know
your recipient as well, which is not always the case.

--
Arno Welzel
https://arnowelzel.de

On 2023-10-25 18:05, Arno Welzel wrote:
> VanguardLH, 2023-10-24 12:56:
>
> [...]
>> Since there are more than 1 PGP key server, wonder which one Tbird uses.
>
> The whole idea of key servers in they way they where originally
> implemented is broken:
>
> 1) Servers happily accept *everything*, even submission of wrong keys
> which an attacker publishes for some e-mail-address.
>
> 2) Keys can not be deleted - because there is no way to authenticate as
> a legitimate user since the server does not require any authentication
> or authorization.
>
> So the best way is to get the key from the recipient itself. Of course
> if you just ask via unecrypted e-mail you still don't know if you really
> got the correct key. You *may* rely on signatures in the key by other
> people you know (the "web of trust"), but this requires to know and
> trust a number of other people who also use PGP *and* that *they* know
> your recipient as well, which is not always the case.

You can only know that the person with you usually communicate under
that name has a certain key, but not if his name is true.

The web of trust can work, more or less, within a group of people with
which you usually communicate. An island of correspondents.

--
Cheers,
Carlos E.R.

On 2023-10-25 00:59, VanguardLH wrote:
> Bob Henson <bob.henson@outlook.com> wrote:

>
> That was one that I already mentioned, but the part you snipped in your
> reply. Why that one over the others? As Carlos mentioned, and which I
> read in passing, looks like the PGP servers no longer sync with each
> others. So, it is important which PGP key server you use, and which PGP
> key server someone else uses to find your public key.

Totally unrelated: This post of yours displays for me with an unreadable
small font.

I thought I had the issue solved, but no.

Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-7"
Content-Transfer-Encoding: 8bit

I have the general font size set to 18. In Advanced, latin font is set
to 18/18, and "other writing systems" also to 18/18. What font size
would apply to your post?

man iso-8859-7

ISO 8859-7 Latin/Greek

ISO 8859-7 was formerly known as ELOT-928 or ECMA-118:1986.

Ok, I do see a setting for "greek" in Thunderbird, and it currently is
16/12. Changing to 18/18 (proportional/fixed font).

Now your post displays normally :-)

--
Cheers,
Carlos E.R.