#22 Assist user with advice of recommended key management
GPG's keychain tool makes it really simple to create keys and upload them
to various servers.
That's good, but there's also a problem with this, because the simplicity
puts a lot of power in the hands of uninformed users. The solution, of
course, cannot be to take simplicity away, but rather to guide the user
along his/her steps.
Here are some examples that should not only be part of the ReadMe but
also part of the key creation process in the application:
1) After creation of a key, prompt user to
- create revocation key
- create backup of keypair (print and/or export)
2) Warn twice before key deletion that the password alone is not, not, not
enough. For example a public key can never be removed from a server
with just the password alone.
3) Warn the user that uploading to keyserver is not for playing around or
testing. Advice users to exchange keys manually until he/she is really sure
of know what he/she is doing.
4) Explain concept of fingerprints, web of trust: Public keys "useless"
anyway until identity is confirmed.
I find it essential that such critical information is part of the application
usage. The least should be a quick warning with a link where to find more
details.
