Thursday, June 12, 2008

Scripting and trusting GPG

We just added a new client, and like all intelligent companies, we're using GPG to get them their files.

Since we're going to be encrypting them files, we needed to get their public key. There wasn't much issue with that, however several calls to their technical contact have gone unreturned. I'd very much like to sign their key after verifying fingerprints over the phone, but I can't do that if I don't talk to them, and scripting the encryption of a file using an unsigned key is nigh-impossible.

I ended up signing it with a low level of trust, but I'd eventually like to trust it completely.

What are your public key security policies? Would you have signed the key?