5. Key Fetching

Mailcrypt knows how to fetch PGP public keys from the key servers (see section 9.2 Key Servers). The function mc-pgp-fetch-key is bound by default to C-c / k in both mc-read-mode and mc-write-mode. Additionally, mc-encrypt, mc-decrypt, and mc-verify will offer to call this function to automatically fetch a desired key. If you call it manually, it will prompt you for the User ID of the key to fetch.

The variable mc-pgp-fetch-methods is a list of ways to attempt to fetch a key. (More precisely, it is a list of functions to be called, each of which will attempt to fetch the key.) The methods will be tried in the order listed. The default list is:

'(mc-pgp-fetch-from-keyrings
  mc-pgp-fetch-from-finger
  mc-pgp-fetch-from-http)

For a description of these functions, see the following sections.

If you are not directly on the Internet, you probably want to obtain a copy of the global public key ring from the keyservers, install it somewhere under the name `public-keys.pgp', and do:

(setq mc-pgp-fetch-methods '(mc-pgp-fetch-from-keyrings))
(setq mc-pgp-fetch-keyring-list '("/blah/blah/blah/public-keys.pgp"))

This will allow you to fetch keys from your local copy of the global key ring instead of sending requests to the key servers directly (see section 5.1 Keyring Fetch). Alternately, if your organization has a proxy HTTP server, you can configure Mailcrypt to use that. See 5.3 HTTP Fetch.

If the key is found, you will be shown the result of running PGP on it locally. This allows you to inspect the signatures on the key relative to your own keyring before you consent to having it added. Inspect the signatures carefully! Key distribution is often the Achilles' heel of public key protocols. If you blindly use keys obtained from the key servers, you are asking for trouble.

All of the methods use mc-pgp-fetch-timeout as a timeout in seconds; the default value is 30.

5.1 Keyring Fetch

The function mc-pgp-fetch-from-keyrings will attempt to fetch a key from a set of keyrings on the locally accessible filesystem. This is useful if your organization maintains a large common public keyring whose entire contents you do not wish to duplicate on your own ring. It is also useful if you download a copy of the global public ring from the key servers (see section 9.2 Key Servers).

The variable mc-pgp-fetch-keyring-list controls this behavior. It is a list of file names of public keyrings which this function will search, in order, when seeking a key. The default value is nil, meaning this search will always fail.

5.2 Finger Fetch

The function mc-pgp-fetch-from-finger will attempt to fetch a key by fingering an address and parsing the output for a PGP public key block.

5.3 HTTP Fetch

The function mc-pgp-fetch-from-http will attempt to fetch a key by connecting to a key server (see section 9.2 Key Servers) which has a World Wide Web interface.

The variables mc-pgp-keyserver-address, mc-pgp-keyserver-port, and mc-pgp-keyserver-url-template control the fetching process. The default is to use Brian LaMacchia's key server at MIT. If this default should stop working, or if you want to help with network congestion and machine load, you can choose a different server. As of this writing, any of the following sequences of Emacs Lisp in your `.emacs' file will work; choose one:

;; Key server at MIT (Massachusetts, USA)
;; This is the default; these lines are only for reference
;(setq mc-pgp-keyserver-address "pgp.ai.mit.edu")
;(setq mc-pgp-keyserver-port 80)
;(setq mc-pgp-keyserver-url-template
;      "/htbin/pks-extract-key.pl?op=get&search=%s")

;; Key server at UPC (Barcelona, Spain)
(setq mc-pgp-keyserver-address "goliat.upc.es")
(setq mc-pgp-keyserver-port 80)
(setq mc-pgp-keyserver-url-template
      "/cgi-bin/pks-extract-key.pl?op=get&search=%s")

;; Key server at Cambridge University (Cambridge, England)
(setq mc-pgp-keyserver-address "www.cl.cam.ac.uk")
(setq mc-pgp-keyserver-port 80)
(setq mc-pgp-keyserver-url-template
      "/cgi-bin/pks-extract-key.pl?op=get&search=%s")

;; Key server at UIT (Tromso, Norway)
(setq mc-pgp-keyserver-address "www.service.uit.no")
(setq mc-pgp-keyserver-port 80)
(setq mc-pgp-keyserver-url-template
      "/cgi-bin/pks-extract-key.pl?op=get&search=%s")

;; Key server at CMU (Pennsylvania, USA)
(setq mc-pgp-keyserver-address "gs211.sp.cs.cmu.edu")
(setq mc-pgp-keyserver-port 80)
(setq mc-pgp-keyserver-url-template "/cgi-bin/pgp-key?pgpid=%s")

If your organization has a firewall, you might not be able to access the World Wide Web directly. Your organization may have a proxy HTTP server set up, however. In that case, you should place code like the following in your `.emacs' file. You can use any of the above key servers instead of the one at MIT, of course.

;; Mailcrypt configuration for accessing key server through HTTP proxy
(setq mc-pgp-keyserver-address "your.proxy.com")
(setq mc-pgp-keyserver-port 13013)  ; Your proxy's port
(setq mc-pgp-keyserver-url-template
      "http://pgp.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=%s")

Note that fetching from a key server can be somewhat slow, so be patient. (At least it beats the tar out of the Email interface.)

5.4 GnuPG Fetch

GnuPG happens to have a built-in HKP keyserver interface which is completely independent from MailCrypt's own key fetching support. If your `.gnupg/options' file includes a line like:

`keyserver wwwkeys.pgp.net'

then any operation that needs an otherwise-unavailable public key (which generally means signature verification) will automatically contact the keyserver and try to retrieve the key. It sends the hex keyid to the server, not a string, so it could only be used at encryption time if you already know the keyid of your recipients.

You can also tell GPG to explicitly request a key (by hex keyid) with `--recv-keys', or to send your own key with `--send-keys'. Check the GnuPG manual for details.

This document was generated by XEmacs shared group account on December, 19 2009 using texi2html 1.65.