[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Mailcrypt knows how to fetch PGP public keys from the key servers
(see section 9.2 Key Servers). The function mc-pgp-fetch-key
is bound by
default to C-c / k in both mc-read-mode
and
mc-write-mode
. Additionally, mc-encrypt
,
mc-decrypt
, and mc-verify
will offer to call this function
to automatically fetch a desired key. If you call it manually, it will
prompt you for the User ID of the key to fetch.
The variable mc-pgp-fetch-methods
is a list of ways to attempt to
fetch a key. (More precisely, it is a list of functions to be called,
each of which will attempt to fetch the key.) The methods will be tried
in the order listed. The default list is:
'(mc-pgp-fetch-from-keyrings mc-pgp-fetch-from-finger mc-pgp-fetch-from-http) |
For a description of these functions, see the following sections.
If you are not directly on the Internet, you probably want to obtain a copy of the global public key ring from the keyservers, install it somewhere under the name `public-keys.pgp', and do:
(setq mc-pgp-fetch-methods '(mc-pgp-fetch-from-keyrings)) (setq mc-pgp-fetch-keyring-list '("/blah/blah/blah/public-keys.pgp")) |
This will allow you to fetch keys from your local copy of the global key ring instead of sending requests to the key servers directly (see section 5.1 Keyring Fetch). Alternately, if your organization has a proxy HTTP server, you can configure Mailcrypt to use that. See 5.3 HTTP Fetch.
If the key is found, you will be shown the result of running PGP on it locally. This allows you to inspect the signatures on the key relative to your own keyring before you consent to having it added. Inspect the signatures carefully! Key distribution is often the Achilles' heel of public key protocols. If you blindly use keys obtained from the key servers, you are asking for trouble.
All of the methods use mc-pgp-fetch-timeout
as a timeout in
seconds; the default value is 30.
5.1 Keyring Fetch | Fetching from one or more other keyrings on the local system. | |
5.2 Finger Fetch | Fetching a key through finger. | |
5.3 HTTP Fetch | Fetching a key off of the Web. | |
5.4 GnuPG Fetch | Using GnuPG's internal keyserver interface. |
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The function mc-pgp-fetch-from-keyrings
will attempt to fetch a
key from a set of keyrings on the locally accessible filesystem. This
is useful if your organization maintains a large common public keyring
whose entire contents you do not wish to duplicate on your own ring. It
is also useful if you download a copy of the global public ring from the
key servers (see section 9.2 Key Servers).
The variable mc-pgp-fetch-keyring-list
controls this behavior.
It is a list of file names of public keyrings which this function will
search, in order, when seeking a key. The default value is nil
,
meaning this search will always fail.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The function mc-pgp-fetch-from-finger
will attempt to fetch a key
by fingering an address and parsing the output for a PGP public key
block.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The function mc-pgp-fetch-from-http
will attempt to fetch a key
by connecting to a key server (see section 9.2 Key Servers) which has a World
Wide Web interface.
The variables mc-pgp-keyserver-address
,
mc-pgp-keyserver-port
, and mc-pgp-keyserver-url-template
control the fetching process. The default is to use Brian LaMacchia's
key server at MIT. If this default should stop working, or if you want
to help with network congestion and machine load, you can choose a
different server. As of this writing, any of the following sequences of
Emacs Lisp in your `.emacs' file will work; choose one:
;; Key server at MIT (Massachusetts, USA) ;; This is the default; these lines are only for reference ;(setq mc-pgp-keyserver-address "pgp.ai.mit.edu") ;(setq mc-pgp-keyserver-port 80) ;(setq mc-pgp-keyserver-url-template ; "/htbin/pks-extract-key.pl?op=get&search=%s") |
;; Key server at UPC (Barcelona, Spain) (setq mc-pgp-keyserver-address "goliat.upc.es") (setq mc-pgp-keyserver-port 80) (setq mc-pgp-keyserver-url-template "/cgi-bin/pks-extract-key.pl?op=get&search=%s") |
;; Key server at Cambridge University (Cambridge, England) (setq mc-pgp-keyserver-address "www.cl.cam.ac.uk") (setq mc-pgp-keyserver-port 80) (setq mc-pgp-keyserver-url-template "/cgi-bin/pks-extract-key.pl?op=get&search=%s") |
;; Key server at UIT (Tromso, Norway) (setq mc-pgp-keyserver-address "www.service.uit.no") (setq mc-pgp-keyserver-port 80) (setq mc-pgp-keyserver-url-template "/cgi-bin/pks-extract-key.pl?op=get&search=%s") |
;; Key server at CMU (Pennsylvania, USA) (setq mc-pgp-keyserver-address "gs211.sp.cs.cmu.edu") (setq mc-pgp-keyserver-port 80) (setq mc-pgp-keyserver-url-template "/cgi-bin/pgp-key?pgpid=%s") |
If your organization has a firewall, you might not be able to access the World Wide Web directly. Your organization may have a proxy HTTP server set up, however. In that case, you should place code like the following in your `.emacs' file. You can use any of the above key servers instead of the one at MIT, of course.
;; Mailcrypt configuration for accessing key server through HTTP proxy (setq mc-pgp-keyserver-address "your.proxy.com") (setq mc-pgp-keyserver-port 13013) ; Your proxy's port (setq mc-pgp-keyserver-url-template "http://pgp.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=%s") |
Note that fetching from a key server can be somewhat slow, so be patient. (At least it beats the tar out of the Email interface.)
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
GnuPG happens to have a built-in HKP keyserver interface which is completely independent from MailCrypt's own key fetching support. If your `.gnupg/options' file includes a line like:
`keyserver wwwkeys.pgp.net'
then any operation that needs an otherwise-unavailable public key (which generally means signature verification) will automatically contact the keyserver and try to retrieve the key. It sends the hex keyid to the server, not a string, so it could only be used at encryption time if you already know the keyid of your recipients.
You can also tell GPG to explicitly request a key (by hex keyid) with `--recv-keys', or to send your own key with `--send-keys'. Check the GnuPG manual for details.
[ << ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |