-ioption will cause PGP to include more information about the file in the encrypted message. With the
-poption, PGP restores the original filename when you decrypt the message, but if this option is also used, and both sender and recipient are using the same platform, then the original file permissions and timestamp will also be restored.
-loption PGP gives lots more information about what it is doing. During key generation, for example, you get to see the actual numbers used in your public and secret key.
-kmoption will display the "web of trust" (see question 4.7) in a nested list. This way you can see which key introduces which.
encrypttoself=onin your configuration file, all messages that you encrypt will always be encrypted with your own public key as well. This way you will be able to decrypt and read every message you send. This can be useful if you have PGP set up to encrypt every outgoing message, and your "outbox" will keep the encrypted versions. Note: if someone else ever manages to obtain your secret key, he will be able to read every encrypted message you ever sent out, if this option was enabled.
pgp filename +makerandom=n. There is a bug in the international versions of PGP, which results in this random data being a lot less random than normal.
Fido net mail is even more sensitive. You should only send encrypted net mail after checking that:
Don't sign someone's key just because someone else that you know has signed it. Confirm the identity of the individual yourself. Remember, you are putting your reputation on the line when you sign a key.
If you have a UNIX shell account, put a copy of your public key in a file called ".plan", so that other people can finger that account and get your public key in the process. See also question 4.8.
Also, send your public key to a keyserver. See question 8.1 for details.
Whatever method you choose to make your key available, make sure that it's clear for others how to get it. Usually, you just put instructions in your mail and news .signature file (something like "PGP public key available from keyservers" or "Finger me for public key"), or reference to it from your homepage.
It's also good practice to include key ID and fingerprint in your .signature. That way, people who want to have your key can be more certain they are actually getting yours, and not some other key with your name on it. And the fingerprint will be an even greater help in this.
But this is not proof that the key actually is yours. Remember, the message or post with this .signature can be a forgery.
If you have any other tips, please let me know.
[ Previous | Table of Contents | About this FAQ | Glossary ]