Would you trust a reputedly secure file sharing service for public key distribution? In my context, I cannot use certificates. Key servers seem to require PGP/GPG formats yet I'm using Microsoft CngKey format in my app, hence this question.
Asked
Active
Viewed 108 times
2 Answers
2
Yes and No
You could print your public key on a billboard in the middle of New York and it would not cause you any problems, however, no one would be able to verify that the billboard in question was actually your doing. Further, if someone had write access to that billboard and changed the public key it would cause you headaches.
Something that you might consider is to stash the key in a Github repo owned by you ... this, while not 100% secure, would be far more reputable than a public dropbox link.
CaffeineAddiction
- 7,517
- 2
- 20
- 40
-
I'm making a good note of this, yet I guess that each user of the application would have to use that same strategy. Still, if it is really more secure I'll do it, thank you :) – Frank Jan 07 '17 at 02:12
1
It's a public key. The whole point is that - it's meant to be shared.
I could send it to the government. It wouldn't make any difference. You use your private key for decryption. Keep that safe.
I recommend that you read this answer to understand the fundamentals.
-
The file sharing service might hypothetically substitute the public key with one of its own. Maybe this is the asker's worry? – John Dvorak Jan 07 '17 at 01:49
-
-
-
@Frank do note that the file-sharing service probably won't be able to intercept and replace the encrypted message that's being sent to you with that key. In the very worst case, you might find slightly too late something went south. – John Dvorak Jan 07 '17 at 01:53
-
@Jan Dvorak: Okay thanks. We users only need to make sure that the keys come from the right correspondent. The rest is done using ECIES.(already implemented in the app) – Frank Jan 07 '17 at 02:02