[OPSEC/Computer] PGP question about public keys

Sorry if this has been mentioned, I have attempted to search for the answer to this on and off for a few weeks, but I've had no luck. After dealing with venders who specifically ask for you to not sign PGP messages, I've come to wonder- is sending your public key necessary in this case? As long as it's encrypted to their public key, do they have to have yours?

Once again, sorry if this is common knowledge, I've tried to find the answer and posting this question was pretty much my last resort.

Thanks!


Comments


[3 Points] kamn74:

They only need your public key if they are going to encrypt a message to you.

You should put your public key in your profile, just in case.


[2 Points] Eddie-Teach:

Yes, to confirm a signed message the receiver must have your PGP key on their key ring. Signing a message is not at all necessary for our purposes, it is used to verify that a message was not tampered with in transit.

In order to tamper with a message that you sent PGP encrypted to the vendor I would need that vendor's private key. First I would have to intercept the message before he got it, decrypt it, edit it, re-encrypt it and send it on it's way, spoofed to look like it came from you. This is something that would require either admin access to the marketplace where the message was sent or taking total control of the TOR network (in addition to the private key for the vendor).

The only reason a vendor would need your public key would be if they needed to communicate sensitive information back to you. Other than tracking info (which rarely needs to be released) there is rarely reason for this.

Does that cover everything you were wondering about?


[1 Points] k9atemybuds:

I would highly suggest putting your public key in your profile and activating 2FA. This way you won't get your coins stolen and also the vendors and encrypt messages to you.


[1 Points] throwaway:

Why on earth wouldn't vendors want you to sign your messages?