Militantly FREE software support.
Militantly FREE software support.
NavigationUser loginSpam?See spam posts on this site? If so, please don't reply to the spam! Instead, just report the URL to the webmaster. |
GPG and SigningI noticed a lot of people on this mailing list have GPG enabled in What exactly does GPG/GnuPG do? What are the advantages to having it? How do I set it up to recognize other people's signatures? How do I set it up with my own signature, that works with Mutt? -- Bookmark/Search this post with: 
|
• Debian Weekly News - Essential reading for any Debian fan. • Documentation - Debian's own authoritative documentation, including installation docs. • FAQ - Got questions about Debian GNU/Linux? • From Windows to Debian - Tips for converting from Windows to Debian GNU/Linux • Package of the Day. • Security - Security information and alerts! • Bug System - Bug tracking and instructions on reporting bugs. • CD Images - Where/how to get Debian GNU/Linux CD images. • Mailing List Subscription - Dozens of Debian-specific support mailing lists! • Mailing List Archives - Searchable archives of Debian's mailing lists. • Free Software Guidelines - Learn Debian's idea of what "free" software really is. • Package Listings - A very valuable tool: searchable, integrated with bug reports. • Apt-Get Sources - Sources for *.debs which are not official Debian packages. • Backports - Unofficial new software packages that have been "back-ported" to work with the Debian stable/official release. • Developer's Corner - Info about the people behind Debian, policies, and how to package *.deb files.
GPG and Signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael Pobega escribió:
> I noticed a lot of people on this mailing list have GPG enabled in
> their emails, and now that I've seen it enough I'm wondering a few
> things;
>
> What exactly does GPG/GnuPG do?
Sign and/or encrypt things
>
> What are the advantages to having it?
You can be sure that the person is who says it is. Encrypt information.
>
> How do I set it up to recognize other people's signatures?
Some client should do it for you, or you can check the fingerprint with
the key in some pgp-server and check it manually. Mutt do that for you
automatically, I think, you should read [1]
>
> How do I set it up with my own signature, that works with Mutt?
Well, I guess that [1] should work
[1] http://tldp.org/HOWTO/Mutt-GnuPG-PGP-HOWTO.html
Jose Luis,
- --
ghostbar @ linux/debian 'sid' x86 - #382503
WeBlog: http://ghostbar.ath.cx/ - http://talug.org.ve
http://debian.org.ve - irc.debian.org #debian-ve
San Cristóbal, Venezuela.
Fingerprint = 3E7D 4267 AFD5 2407 2A37 20AC 38A0 AD5B CACA B118
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGDy/+OKCtW8rKsRgRAn70AJsH3VTd5N3W0Y40+BW+IaYq0HTmQACeNt9u
anfwLTvdz6sUPWRHS0QS2Xw=
=ZjOY
-----END PGP SIGNATURE-----
--
GPG and Signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jose Luis Rivas Contreras wrote:
> Michael Pobega escribió:
[...]
>>>What are the advantages to having it?
>
>
> You can be sure that the person is who says it is.
Wellll.... that's a pretty big simplification. It is possible to do
that, but you must understand how the system works first. I realize it's
impractical to go into details in this list, but I just wanted to make
sure Michael was aware there's a *LOT* behind that statement.
Michael, Wikipedia has a reasonably concise overview:
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
- --
Jim Hyslop
Dreampossible: Better software. Simply. http://www.dreampossible.ca
Consulting * Mentoring * Training in
C/C++ * OOD * SW Development & Practices * Version Management
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFGDzhZLdDyDwyJw+MRAt8mAKDvY2u3zfUmf3vFwHiCamlOMC3HYgCeKKNt
K0KXuxdB3/BZ0HvoPJPCPSs=
=bQCR
-----END PGP SIGNATURE-----
--
GPG and Signing
Jim Hyslop wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jose Luis Rivas Contreras wrote:
>
>> Michael Pobega escribió:
>>
> [...]
>
>>>> What are the advantages to having it?
>>>>
>> You can be sure that the person is who says it is.
>>
>
> Wellll.... that's a pretty big simplification. It is possible to do
> that, but you must understand how the system works first. I realize it's
> impractical to go into details in this list, but I just wanted to make
> sure Michael was aware there's a *LOT* behind that statement.
>
> Michael, Wikipedia has a reasonably concise overview:
> http://en.wikipedia.org/wiki/Pretty_Good_Privacy
>
I was wondering about that too. Went to local book store and found a
good book on both PGP and GPG:
http://www.amazon.com/PGP-GPG-Email-Practical-Paranoid/dp/1593270712/ref=sr_1_1/104-6276993-4918331?ie=UTF8&s=books&qid=1175414807&sr=8-1
It's a quick and interesting read after which you will have a good
understanding of framework and mechanisms of both the tools and the
theory behind it.
HTH.
Maxcole is an Equal Opportunity Employer
--
GPG and Signing
Robert Roach wrote:
> Jim Hyslop wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Jose Luis Rivas Contreras wrote:
>>
>>> Michael Pobega escribió:
>>>
>> [...]
>>
>>>>> What are the advantages to having it?
>>>>>
>>> You can be sure that the person is who says it is.
>>>
>>
>> Wellll.... that's a pretty big simplification. It is possible to do
>> that, but you must understand how the system works first. I realize it's
>> impractical to go into details in this list, but I just wanted to make
>> sure Michael was aware there's a *LOT* behind that statement.
>>
>> Michael, Wikipedia has a reasonably concise overview:
>> http://en.wikipedia.org/wiki/Pretty_Good_Privacy
>>
>
> I was wondering about that too. Went to local book store and found a
> good book on both PGP and GPG:
>
> http://www.amazon.com/PGP-GPG-Email-Practical-Paranoid/dp/1593270712/ref=sr_1_1/104-6276993-4918331?ie=UTF8&s=books&qid=1175414807&sr=8-1
>
>
> It's a quick and interesting read after which you will have a good
> understanding of framework and mechanisms of both the tools and the
> theory behind it.
>
No local bookstores here :-(
I'm still waiting for a *well written plain English* description of
PGP/GPG.
...
The message recipient uses the sender's public key and the digital
signature to recover the original message digest.
...
is really another version of Fortran en not plain English. May be the
latter is no longer used in the business we're in...
Hugo
--
GPG and Signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hugo Vanwoerkom wrote:
[snip]
>>> Michael, Wikipedia has a reasonably concise overview:
>>> http://en.wikipedia.org/wiki/Pretty_Good_Privacy
>>>
>>
>> I was wondering about that too. Went to local book store and found a
>> good book on both PGP and GPG:
>>
>> http://www.amazon.com/PGP-GPG-Email-Practical-Paranoid/dp/1593270712/ref=sr_1_1/104-6276993-4918331?ie=UTF8&s=books&qid=1175414807&sr=8-1
>>
>>
>> It's a quick and interesting read after which you will have a good
>> understanding of framework and mechanisms of both the tools and the
>> theory behind it.
>>
>
> No local bookstores here :-(
> I'm still waiting for a *well written plain English* description of
> PGP/GPG.
>
> ...
> The message recipient uses the sender's public key and the digital
> signature to recover the original message digest.
> ...
>
> is really another version of Fortran en not plain English. May be the
> latter is no longer used in the business we're in...
Hugo,
Perhaps this link will help you. Since you're Dutch:
http://nl.wikipedia.org/wiki/PGP
Succes ermee,
Joe
- --
Registerd Linux user #443289 at http://counter.li.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGEBcfiXBCVWpc5J4RAj6tAKCRgC+0G/GB1WREB0qHYRowIZM2NgCbBySc
ZfxOpUpEzHnIpHdu5kXvnz8=
=QnAB
-----END PGP SIGNATURE-----
--
GPG and Signing
On Sun, 01 Apr 2007 14:43:48 -0500
Hugo Vanwoerkom wrote:
[snip]
> No local bookstores here :-(
> I'm still waiting for a *well written plain English* description of
> PGP/GPG.
>
> ...
> The message recipient uses the sender's public key and the digital
> signature to recover the original message digest.
> ...
>
> is really another version of Fortran en not plain English. May be the
> latter is no longer used in the business we're in...
It's really not so bad: "The message recipient [let's say, you] uses the
sender's [whoever sent you the email] public key [a part of his key
that he makes public, either by posting on a website, uploading to a
keyserver, or any other means] and the digital signature [something
that his MUA (generally) adds on to his (encrypted) email messages] to
recover the original message digest [basically the original message]".
Celejar
--
GPG and Signing
On Sun, Apr 01, 2007 at 04:11:09PM +0800, Robert Roach wrote:
> I was wondering about that too. Went to local book store and found a
> good book on both PGP and GPG:
>
> http://www.amazon.com/PGP-GPG-Email-Practical-Paranoid/dp/1593270712/ref=sr_1_1/104-6276993-4918331?ie=UTF8&s=books&qid=1175414807&sr=8-1
>
> It's a quick and interesting read after which you will have a good
> understanding of framework and mechanisms of both the tools and the
> theory behind it.
Does it mention Bob, Ted and Alice?
--
Chris.
======
--
GPG and Signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/31/07 21:30, Michael Pobega wrote:
> I noticed a lot of people on this mailing list have GPG enabled in
> their emails, and now that I've seen it enough I'm wondering a few
> things;
>
> What exactly does GPG/GnuPG do?
Digitally signs and or encrypts files.
> What are the advantages to having it?
Using a web of trust, you can validate whether the entity that
claims to have sent the email actually sent the email.
> How do I set it up to recognize other people's signatures?
>
> How do I set it up with my own signature, that works with Mutt?
- --
Ron Johnson, Jr.
Jefferson LA USA
Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGDzO6S9HxQb37XmcRApjzAKCf8qGadG4TABMYhPJNg+r04QtKnACfXi7O
B+vNNiNCY4fJswm8XvDCcLY=
=bsNv
-----END PGP SIGNATURE-----
--
GPG and Signing
Ron Johnson wrote:
> > What are the advantages to having it?
>
> Using a web of trust, you can validate whether the entity that
> claims to have sent the email actually sent the email.
Which makes me wonder, how is anyone to establish such a web of trust
in this community?
Regards,
Andrei
P.S. I just setup Claws-Mail to use signing a few days ago. This thread
looks like a good opportunity to start using it here.
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)
GPG and Signing
On Sun, Apr 01, 2007 at 11:26:54AM +0300, Andrei Popescu wrote:
> Ron Johnson wrote:
>
> > > What are the advantages to having it?
> >
> > Using a web of trust, you can validate whether the entity that
> > claims to have sent the email actually sent the email.
>
> Which makes me wonder, how is anyone to establish such a web of trust
> in this community?
>
I recall some concept called in-band and out-of-band. So if you want to
have a web-of-trust using pgp/gpg keys for email, you need to have an
out-of-band way of verifying those keys--this is ususally done by
meeting someone in person and examining their ID. This is done for folks
joining the Debian developement community. After you meet them and
verify that its ok, you them add their key to your set of trusted keys.
--
| .''`. == Debian GNU/Linux == | my web site: |
| : :' : The Universal |mysite.verizon.net/kevin.mark/|
| `. `' Operating System | go to counter.li.org and |
| `- http://www.debian.org/ | be counted! #238656 |
| my keyserver: subkeys.pgp.net | my NPO: cfsg.org |
|join the new debian-community.org to help Debian! |
|_______ Unless I ask to be CCd, assume I am subscribed _______|
GPG and Signing
On Sun, 1 Apr 2007 11:26:54 +0300
Andrei Popescu wrote:
Hello Andrei,
> P.S. I just setup Claws-Mail to use signing a few days ago. This
> thread looks like a good opportunity to start using it here.
All set up nicely, then. Your public key imported, and everything
works.
What I find odd is the people that sign their messages, but won't/don't
release their public key, so you can't check the validity of their
messages. They may as well not bother.
Now, all I need to do is get to a key signing party somewhere,
otherwise I'll never get anyone to validate my public key.
--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
Dream on white boy, dream on black girl
Original Sin - INXS
GPG and Signing
On Sun, Apr 01, 2007 at 11:26:54AM +0300, Andrei Popescu wrote:
> Ron Johnson wrote:
>
> > > What are the advantages to having it?
> >
> > Using a web of trust, you can validate whether the entity that
> > claims to have sent the email actually sent the email.
>
> Which makes me wonder, how is anyone to establish such a web of trust
> in this community?
>
> Regards,
> Andrei
> P.S. I just setup Claws-Mail to use signing a few days ago. This thread
> looks like a good opportunity to start using it here.
>
I got this for your mail:
[-- PGP output follows (current time: Sun 01 Apr 2007 08:09:36 AM EDT)
--]
gpg: Signature made Sun 01 Apr 2007 04:27:11 AM EDT using DSA key ID
70859BD9
gpg: Can't check signature: public key not found
[-- End of PGP output --]
I can't figure out how to set it up. The articles mention only talk
about PGP, not GPG.
--
GPG and Signing
Michael Pobega:
>
> I got this for your mail:
>
> [-- PGP output follows (current time: Sun 01 Apr 2007 08:09:36 AM EDT)
> --]
> gpg: Signature made Sun 01 Apr 2007 04:27:11 AM EDT using DSA key ID
> 70859BD9
> gpg: Can't check signature: public key not found
> [-- End of PGP output --]
This means that GnuPG doesn't know the public key it needs to verify the
signature on this message. You can probably configure your mail client
to try to fetch unknown keys from a public key server like
hkp://subkeys.pgp.net.
> I can't figure out how to set it up. The articles mention only talk
> about PGP, not GPG.
PGP is the original proprietary implementation, GnuPG is a compatible
GNU implementation. You can use GPG and PGP synonymously in many
contexts.
J.
--
If politics is the blind leading the blind, entertainment is the fucked-
up leading the hypnotised.
[Agree] [Disagree]
GPG and Signing
On Sun, Apr 01, 2007 at 08:11:06AM -0400, Michael Pobega wrote:
> I can't figure out how to set it up. The articles mention only talk
> about PGP, not GPG.
Here are the changes (actually additions) I made, everything else works
out of the box:
~/.muttrc
# auto sign outgoing
set crypt_autosign=yes
# auto check old signatures
set pgp_auto_decode=yes
~/.gnupg/gpg.conf
keyserver x-hkp://subkeys.pgp.net
keyserver-options auto-key-retrieve include-disabled include-revoked
I created my key with Claws-Mail, but I think 'gpg --gen-key' will do
the trick.
Regards,
Andrei
P.S. I am testing the autosign option for mutt right now ;)
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)
GPG and Signing
On Sun, Apr 01, 2007 at 06:24:02PM +0300, Andrei Popescu wrote:
> On Sun, Apr 01, 2007 at 08:11:06AM -0400, Michael Pobega wrote:
>
> > I can't figure out how to set it up. The articles mention only talk
> > about PGP, not GPG.
>
> Here are the changes (actually additions) I made, everything else works
> out of the box:
>
> ~/.muttrc
>
> # auto sign outgoing
> set crypt_autosign=yes
> # auto check old signatures
> set pgp_auto_decode=yes
>
>
> ~/.gnupg/gpg.conf
>
> keyserver x-hkp://subkeys.pgp.net
> keyserver-options auto-key-retrieve include-disabled include-revoked
>
>
> I created my key with Claws-Mail, but I think 'gpg --gen-key' will do
> the trick.
>
> Regards,
> Andrei
> P.S. I am testing the autosign option for mutt right now ;)
>
I'm testing auto signing now. Tell me if it worked.
GPG and Signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael Pobega wrote:
> On Sun, Apr 01, 2007 at 06:24:02PM +0300, Andrei Popescu wrote:
>> On Sun, Apr 01, 2007 at 08:11:06AM -0400, Michael Pobega wrote:
>>
>>> I can't figure out how to set it up. The articles mention only talk
>>> about PGP, not GPG.
>> Here are the changes (actually additions) I made, everything else works
>> out of the box:
>>
>> ~/.muttrc
>>
>> # auto sign outgoing
>> set crypt_autosign=yes
>> # auto check old signatures
>> set pgp_auto_decode=yes
>>
>>
>> ~/.gnupg/gpg.conf
>>
>> keyserver x-hkp://subkeys.pgp.net
>> keyserver-options auto-key-retrieve include-disabled include-revoked
>>
>>
>> I created my key with Claws-Mail, but I think 'gpg --gen-key' will do
>> the trick.
>>
>> Regards,
>> Andrei
>> P.S. I am testing the autosign option for mutt right now ;)
>>
>
> I'm testing auto signing now. Tell me if it worked.
Yep. Worked just fine.
Joe
- --
Registerd Linux user #443289 at http://counter.li.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGD/sTiXBCVWpc5J4RAhtRAJ9E0/AyLZY14p2rcCqlyKoAwddeDgCdHEhN
oU8XZInhyUYZBRiQ079/VeY=
=FofK
-----END PGP SIGNATURE-----
--
GPG and Signing
On Sun, Apr 01, 2007 at 06:24:02PM +0300, Andrei Popescu wrote:
> On Sun, Apr 01, 2007 at 08:11:06AM -0400, Michael Pobega wrote:
>
> P.S. I am testing the autosign option for mutt right now ;)
>
Also, is there some way to set it so I can still send mail unsigned?
I've heard that GPG keys give trouble to M$ clients, and most of my
family uses Outlook.
GPG and Signing
On Sun, 1 Apr 2007 14:30:19 -0400
Michael Pobega wrote:
Hello Michael,
> Also, is there some way to set it so I can still send mail unsigned?
I don't know how to do it in Mutt, but for ease, I created a duplicate
account in Claws-Mail that doesn't sign emails. Each list I'm subbed
to has one or other set as the default account for that list.
It is possible to change the default "on the fly", of course.
--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
Where will you be when the bodies burn?
The Gasman Cometh - Crass
GPG and Signing
On Sun, 2007-04-01 at 14:30 -0400, Michael Pobega wrote:
> Also, is there some way to set it so I can still send mail unsigned?
> I've heard that GPG keys give trouble to M$ clients, and most of my
> family uses Outlook.
You should be able to switch between encrypt, sign, and unsigned
somewhere. I think it's "p", but better check the manual to be sure.
--
Cheers,
Sven Arvidsson
http://www.whiz.se
PGP Key ID 760BDD22
GPG and Signing
Michael Pobega wrote:
> On Sun, Apr 01, 2007 at 06:24:02PM +0300, Andrei Popescu wrote:
> > On Sun, Apr 01, 2007 at 08:11:06AM -0400, Michael Pobega wrote:
> >
> > P.S. I am testing the autosign option for mutt right now ;)
> >
>
> Also, is there some way to set it so I can still send mail unsigned?
> I've heard that GPG keys give trouble to M$ clients, and most of my
> family uses Outlook.
On a per-message basis you can press 'p' just before sending and you
get the pgp-menu. For more complicated setups you need to look in the
docs. /usr/share/doc/mutt/ is a good place to start, especially the
README.Debian (this is valid for most packages).
Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)
GPG and Signing
On Sun, Apr 01, 2007 at 10:09:58PM +0300, Andrei Popescu wrote:
> Michael Pobega wrote:
>
> > On Sun, Apr 01, 2007 at 06:24:02PM +0300, Andrei Popescu wrote:
> > > On Sun, Apr 01, 2007 at 08:11:06AM -0400, Michael Pobega wrote:
> > >
> > > P.S. I am testing the autosign option for mutt right now ;)
> > >
> >
> > Also, is there some way to set it so I can still send mail unsigned?
> > I've heard that GPG keys give trouble to M$ clients, and most of my
> > family uses Outlook.
>
> On a per-message basis you can press 'p' just before sending and you
> get the pgp-menu. For more complicated setups you need to look in the
> docs. /usr/share/doc/mutt/ is a good place to start, especially the
> README.Debian (this is valid for most packages).
>
> Regards,
> Andrei
>
Thanks, testing it with this email; Is this email unsigned?
--
GPG and Signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael Pobega wrote:
> On Sun, Apr 01, 2007 at 10:09:58PM +0300, Andrei Popescu wrote:
>> Michael Pobega wrote:
>>
>>> On Sun, Apr 01, 2007 at 06:24:02PM +0300, Andrei Popescu wrote:
>>>> On Sun, Apr 01, 2007 at 08:11:06AM -0400, Michael Pobega wrote:
>>>>
>>>> P.S. I am testing the autosign option for mutt right now ;)
>>>>
>>> Also, is there some way to set it so I can still send mail unsigned?
>>> I've heard that GPG keys give trouble to M$ clients, and most of my
>>> family uses Outlook.
>> On a per-message basis you can press 'p' just before sending and you
>> get the pgp-menu. For more complicated setups you need to look in the
>> docs. /usr/share/doc/mutt/ is a good place to start, especially the
>> README.Debian (this is valid for most packages).
>>
>> Regards,
>> Andrei
>>
>
> Thanks, testing it with this email; Is this email unsigned?
>
>
Yes, it is not signed. (since no one else had replied yet)
Joe
- --
Registerd Linux user #443289 at http://counter.li.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGEAkpiXBCVWpc5J4RAvYnAJwJILTWRVLOzmn4n6oGf6gS96fLpgCeI7j5
WsXFn79Zok9QohVtGQLayeE=
=nuIh
-----END PGP SIGNATURE-----
--
GPG and Signing
On Sun, Apr 01, 2007 at 02:30:19PM -0400, Michael Pobega wrote:
> On Sun, Apr 01, 2007 at 06:24:02PM +0300, Andrei Popescu wrote:
> > On Sun, Apr 01, 2007 at 08:11:06AM -0400, Michael Pobega wrote:
> >
> > P.S. I am testing the autosign option for mutt right now ;)
> >
>
> Also, is there some way to set it so I can still send mail unsigned?
> I've heard that GPG keys give trouble to M$ clients, and most of my
> family uses Outlook.
There are 2 ways to sign an email, an in-line digital signature and a
digital signature attachment. One list to whom I send email, does not
allow digital signatures attachments, so I use the following in my
.mutt/muttrc to specify the in-line digital signature for this one. And
since its, not an attachment, it will not be rejected by any email
client.
========================= .mutt/muttrc =========================
send-hook '~C nylug' 'set pgp_create_traditional=yes'
========================= .mutt/muttrc =========================
-K
--
| .''`. == Debian GNU/Linux == | my web site: |
| : :' : The Universal |mysite.verizon.net/kevin.mark/|
| `. `' Operating System | go to counter.li.org and |
| `- http://www.debian.org/ | be counted! #238656 |
| my keyserver: subkeys.pgp.net | my NPO: cfsg.org |
|join the new debian-community.org to help Debian! |
|_______ Unless I ask to be CCd, assume I am subscribed _______|
GPG and Signing
Michael Pobega wrote:
> On Sun, Apr 01, 2007 at 06:24:02PM +0300, Andrei Popescu wrote:
>> On Sun, Apr 01, 2007 at 08:11:06AM -0400, Michael Pobega wrote:
>>
>> P.S. I am testing the autosign option for mutt right now ;)
>>
>
> Also, is there some way to set it so I can still send mail unsigned?
> I've heard that GPG keys give trouble to M$ clients, and most of my
> family uses Outlook.
In Icedove: OpenPGP -> Preferences -> PGP/MIME. You can choose "Never to use",
"Allow to use" or "Always use". If you select "Allow to use", you can decide
whether or not to sign on a mail-by-mail basis.
--
Chris.
--
GPG and Signing
On Sun, Apr 01, 2007 at 02:24:39PM +0200, Florian Kulzer wrote:
> On Sun, Apr 01, 2007 at 08:11:06 -0400, Michael Pobega wrote:
> > On Sun, Apr 01, 2007 at 11:26:54AM +0300, Andrei Popescu wrote:
> > > Ron Johnson wrote:
> > >
> > > > > What are the advantages to having it?
> > > >
> > > > Using a web of trust, you can validate whether the entity that
> > > > claims to have sent the email actually sent the email.
> > >
> > > Which makes me wonder, how is anyone to establish such a web of trust
> > > in this community?
> > >
> > > Regards,
> > > Andrei
> > > P.S. I just setup Claws-Mail to use signing a few days ago. This thread
> > > looks like a good opportunity to start using it here.
> > >
> >
> > I got this for your mail:
> >
> > [-- PGP output follows (current time: Sun 01 Apr 2007 08:09:36 AM EDT)
> > --]
> > gpg: Signature made Sun 01 Apr 2007 04:27:11 AM EDT using DSA key ID
> > 70859BD9
> > gpg: Can't check signature: public key not found
> > [-- End of PGP output --]
> >
> > I can't figure out how to set it up. The articles mention only talk
> > about PGP, not GPG.
>
> Make sure you have something like this in your ~/.gnupg/gpg.conf:
>
> keyserver-options auto-key-retrieve
> keyserver hkp://subkeys.pgp.net
>
> (You can use another keyserver, of course. All the "standard" keyservers
> synchronize their key data with each other regularly.)
>
Not all of the GPG keys are verifying, Andrei's still isn't but others
are.
Is there any way to verify individual keys?
--
GPG and Signing
On Sun, 1 Apr 2007 08:37:11 -0400
Michael Pobega wrote:
Hello Michael,
> Not all of the GPG keys are verifying, Andrei's still isn't but others
> are.
Andrei's GPG sig verifies here.
> Is there any way to verify individual keys?
Make sure you have got his key imported with;
gpg --list-keys andrei
and compare the ID of the key you have, with the key Andrei used to
sign the message.
--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
Going round on the Circle Line trying to find a way out
Titanic (My Over) Reaction - 999
GPG and Signing
On Sun, Apr 01, 2007 at 01:42:47PM +0100, Brad Rogers wrote:
> On Sun, 1 Apr 2007 08:37:11 -0400
> Michael Pobega wrote:
>
> Hello Michael,
>
> > Not all of the GPG keys are verifying, Andrei's still isn't but others
> > are.
>
> Andrei's GPG sig verifies here.
>
> > Is there any way to verify individual keys?
>
> Make sure you have got his key imported with;
>
> gpg --list-keys andrei
>
> and compare the ID of the key you have, with the key Andrei used to
> sign the message.
>
--]
gpg: Signature made Sun 01 Apr 2007 04:27:11 AM EDT using DSA key ID
70859BD9
gpg: Good signature from "Andrei Popescu "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: BFE4 10F8 6700 5046 B084 9EFD A89C B3B4 7085
9BD9
pub 1024D/70859BD9 2007-03-28
uid Andrei Popescu
sub 2048g/B65EA52D 2007-03-28
Looks like it should work to me; 70859BD9 is the same ID, no?
--
GPG and Signing
On Sun, 1 Apr 2007 09:35:19 -0400
Michael Pobega wrote:
Hello Michael,
> gpg: Good signature from "Andrei Popescu "
> gpg: WARNING: This key is not certified with a trusted signature!
[snip]
> Looks like it should work to me; 70859BD9 is the same ID, no?
Yes, you've got the right key, and it *has* verified. However, since
Andrei's key is not included in your web-of-trust, GPG gives the
warning. A valid signature != a trusted signature.
You can edit the trust levels of people's keys, but until you can
ascertain that the key belongs to whoever claims ownership, you can't
be certain you've got the right person. Look at
http://www.rubin.ch/pgp/weboftrust.en.html for an explanation of trust
usage.
AFAIAA, no-one has verified my PGP key as held by the key-servers. If
they have, I'd be suspicious, because nobody has ever contacted me to
verify my ID.
--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
Life goes quick and it goes without warning
Bombsite Boy - The Adverts
GPG and Signing
Brad Rogers writes:
> Yes, you've got the right key, and it *has* verified. However, since
> Andrei's key is not included in your web-of-trust, GPG gives the warning.
> A valid signature != a trusted signature.
Such signatures can serve a useful purpose, though. You may not have a
trust path to him but you can be fairly sure that all messages with that
signature came from the same person.
> If they have, I'd be suspicious, because nobody has ever contacted me to
> verify my ID.
"ID" is a slippery concept. What does it mean to "know who someone is"?
--
John Hasler
--
GPG and Signing
On Sun, 01 Apr 2007 10:05:07 -0500
John Hasler wrote:
Hello John,
> "ID" is a slippery concept. What does it mean to "know who someone
> is"?
Indeed. However, with some sort of photo ID, such as passport of
driving license, and knowledge of the relevant key fingerprint, it's
possible to be fairly sure you're dealing with the person that created
the public key. So long as the details all match, whether that's their
"real" ID is moot.
--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
Does she always shout at you, does she tell you what to do
Family Life - Sham 69
GPG and Signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/01/07 10:29, Brad Rogers wrote:
> On Sun, 01 Apr 2007 10:05:07 -0500
> John Hasler wrote:
>
> Hello John,
>
>> "ID" is a slippery concept. What does it mean to "know who someone
>> is"?
>
> Indeed. However, with some sort of photo ID, such as passport of
> driving license, and knowledge of the relevant key fingerprint, it's
> possible to be fairly sure you're dealing with the person that created
> the public key. So long as the details all match, whether that's their
> "real" ID is moot.
A couple of years ago there was a very long thread on what it means
to "trust". The bottom line was that you can't perfectly know, and
that all you can do is "your best" at verifying his identity, and
then have faith.
- --
Ron Johnson, Jr.
Jefferson LA USA
Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD4DBQFGD9WyS9HxQb37XmcRAp7JAJjy0yTrHIzyH2opQ9Ek9bShXpb/AJ9ZMQMW
3/uqnguJv2XcL/SeCVQ8Og==
=a+Fb
-----END PGP SIGNATURE-----
--
GPG and Signing
On Sun, 01 Apr 2007 10:54:27 -0500
Ron Johnson wrote:
Hello Ron,
> A couple of years ago there was a very long thread on what it means
All before my time on the list. If I have time, I might read through
it via the archives.
> to "trust". The bottom line was that you can't perfectly know, and
As said in interviews with ordinary people that knew the various
criminals that achieve notoriety; "He was always such a *nice* polite
man". Well obviously, because to be otherwise might arouse suspicion.
> that all you can do is "your best" at verifying his identity, and
> then have faith.
Quite so.
--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
It's only the children of the ------- wealthy tend to be good looking
Ugly - The Stranglers
GPG and Signing
Brad Rogers writes:
> As said in interviews with ordinary people that knew the various
> criminals that achieve notoriety; "He was always such a *nice* polite
> man". Well obviously, because to be otherwise might arouse suspicion.
In the phrase "web of trust" the word "trust" does not have quite the same
meaning as it does in everyday conversation.
--
John Hasler
--
GPG and Signing
On Sun, 01 Apr 2007 12:53:11 -0500
John Hasler wrote:
Hello John,
> In the phrase "web of trust" the word "trust" does not have quite the
> same meaning as it does in everyday conversation.
Very true. Outside PGP users though, the difference in meaning would be
lost though, I'm sure.
--
Regards _
/ ) "The blindingly obvious is
/ _)rad never immediately apparent"
Now would I say something that wasn't true?
Would I Lie To You - Eurythmics
GPG and Signing
Ron Johnson writes:
> A couple of years ago there was a very long thread on what it means to
> "trust". The bottom line was that you can't perfectly know, and that all
> you can do is "your best" at verifying his identity, and then have faith.
Again I have to ask, what is "identity"? That is not a flippant
question. Think about it.
--
John Hasler
--
GPG and Signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/01/07 12:49, John Hasler wrote:
> Ron Johnson writes:
>> A couple of years ago there was a very long thread on what it means to
>> "trust". The bottom line was that you can't perfectly know, and that all
>> you can do is "your best" at verifying his identity, and then have faith.
>
> Again I have to ask, what is "identity"? That is not a flippant
> question. Think about it.
In the metaphysical sense or the practical sense?
- --
Ron Johnson, Jr.
Jefferson LA USA
Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGECFgS9HxQb37XmcRAh9fAJoCNPH7gWKgo+CBYX+BW1l3wUkIpwCcD8I7
f3jw/kUDR81xCYFo6b7l8Jg=
=3tf/
-----END PGP SIGNATURE-----
--
GPG and Signing
I wrote:
> Again I have to ask, what is "identity"? That is not a flippant
> question. Think about it.
Ron Johnson writes:
> In the metaphysical sense or the practical sense?
Practical, but not "commonsense".
Does your bank need to know "who you really are" in order to safely let you
withdraw money from your account, or do they just need to know that you are
the person who opened the account? (Ignoring government regulations for
the moment.)
Does Debian need to know "who I really am" to safely let me upload
packages, or do they just need to know that I am the same John Hasler who
has been uploading packages for the last nine years and who exchanged key
signatures with a couple of DDs at the IETF meeting in Minneapolis in 1998?
--
John Hasler
GPG and Signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/01/07 17:24, John Hasler wrote:
> I wrote:
>> Again I have to ask, what is "identity"? That is not a flippant
>> question. Think about it.
>
> Ron Johnson writes:
>> In the metaphysical sense or the practical sense?
>
> Practical, but not "commonsense".
>
> Does your bank need to know "who you really are" in order to safely let you
> withdraw money from your account, or do they just need to know that you are
> the person who opened the account? (Ignoring government regulations for
> the moment.)
An ATM machine's threshold of "trust in identity" is account number
and PIN. Meat sack tellers (who don't recognize you) want to verify
your signature with a Government Issued ID Card.
Yes, it could be a forgery, and someone could have stolen your
wallet and forced you to fess up your PIN, but that's all the bank,
super market, etc, etc can go on.
Just as with the GPG Web Of Trust, meatspace relies on a web of
trust. In "modern" societies it radiates from the government, and
in "other" societies (including our own, in previous times), it is
based on, well, traditional means: face-to-face conversation,
letters of introduction, etc, etc.
But, even then, a ner-do-well could waylay the person carrying the
letter of introduction and steal his identity. Or, at least he
could in stories...
> Does Debian need to know "who I really am" to safely let me upload
> packages, or do they just need to know that I am the same John Hasler who
> has been uploading packages for the last nine years and who exchanged key
> signatures with a couple of DDs at the IETF meeting in Minneapolis in 1998?
All they care about is the GPG web of trust.
- --
Ron Johnson, Jr.
Jefferson LA USA
Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGED0BS9HxQb37XmcRAuL5AKDWMIZeyEH/6DB31/O9jnz+9aGLTwCgmzhe
o6rTMXrinXa0AeYpgBGaChM=
=D5NA
-----END PGP SIGNATURE-----
--
GPG and Signing
Ron Johnson writes:
> An ATM machine's threshold of "trust in identity" is account number and
> PIN.
That is authentication, not identification.
> Meat sack tellers (who don't recognize you) want to verify your signature
> with a Government Issued ID Card.
A mistake. The teller should authenticate (_authenticate_, not identify)
you with a secret shared by only you and the bank.
> Just as with the GPG Web Of Trust, meatspace relies on a web of trust.
An easily subverted ad-hoc one.
> All they care about is the GPG web of trust.
Debian cares that I am the same person who was authorized to upload
packages in 1998. They don't care if I am the person who files tax returns
using the name John Hasler and a particular SSN. They are not interested
in where I was born. Only governments and identity thieves are interested
in complete life histories.
--
John Hasler
--
GPG and Signing
On Sun, Apr 01, 2007 at 10:54:27AM -0500, Ron Johnson wrote:
> On 04/01/07 10:29, Brad Rogers wrote:
> > On Sun, 01 Apr 2007 10:05:07 -0500
> > John Hasler wrote:
> >
> > Hello John,
> >
> >> "ID" is a slippery concept. What does it mean to "know who someone
> >> is"?
> >
> > Indeed. However, with some sort of photo ID, such as passport of
> > driving license, and knowledge of the relevant key fingerprint, it's
> > possible to be fairly sure you're dealing with the person that created
> > the public key. So long as the details all match, whether that's their
> > "real" ID is moot.
>
> A couple of years ago there was a very long thread on what it means
> to "trust". The bottom line was that you can't perfectly know, and
> that all you can do is "your best" at verifying his identity, and
> then have faith.
>
I have a question, and I think it's best to fork the thread from here:
Is it a bad practice to verify keyrings of people on the mailing list,
or is it better to wait until I meet up with some of them at say
Debconf or something similar?
GPG and Signing
Michael Pobega writes:
> Is it a bad practice to verify keyrings of people on the mailing list, or
> is it better to wait until I meet up with some of them at say Debconf or
> something similar?
Depends on what you mean by "verify". There is nothing wrong with
downloading their public keys and using them to verify that all the
messages purporting to come from them are indeed signed with the same key
and so probably did come from the same person. However, you should not
sign someone's key unless you have met them, interviewed them, and examined
and verified their credentials.
--
John Hasler
--
GPG and Signing
On Sun, Apr 01, 2007 at 07:09:55PM -0500, John Hasler wrote:
> Michael Pobega writes:
> > Is it a bad practice to verify keyrings of people on the mailing list, or
> > is it better to wait until I meet up with some of them at say Debconf or
> > something similar?
>
> Depends on what you mean by "verify". There is nothing wrong with
> downloading their public keys and using them to verify that all the
> messages purporting to come from them are indeed signed with the same key
> and so probably did come from the same person. However, you should not
> sign someone's key unless you have met them, interviewed them, and examined
> and verified their credentials.
>
What exactly is signing a key, and how does it work?
I'd Google it...but I wouldn't know where to start.
GPG and Signing
On Sun, Apr 01, 2007 at 07:09:55PM -0500, John Hasler wrote:
> Michael Pobega writes:
> > Is it a bad practice to verify keyrings of people on the mailing list,
> > or
> > is it better to wait until I meet up with some of them at say Debconf or
> > something similar?
>
> Depends on what you mean by "verify". There is nothing wrong with
> downloading their public keys and using them to verify that all the
> messages purporting to come from them are indeed signed with the same key
> and so probably did come from the same person. However, you should not
> sign someone's key unless you have met them, interviewed them, and
> examined
> and verified their credentials.
>
What exactly is signing a key, and how does it work?
I'd Google it...but I wouldn't know where to start.
----------------------------------------------------------------
While we're still on this, why do most of your (Debian-users-who-sign)
emails show up in OE with the signature and the email text as attachments?
It seems whether I use GPG or a Thawte cert, they still don't show up as
attachments. Are you doing something "special" to make them show up that
way, and I assume there's something desirable about doing it that way -
please tell me. Makes it hostile to REPLY TO, at least with OE. I suppose
the problem is with OE, but I'd still like to understand what's happening.
THANKS! - John
--
GPG and Signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, Apr 01, 2007 at 08:50:02PM -0400, John Fleming wrote:
> On Sun, Apr 01, 2007 at 07:09:55PM -0500, John Hasler wrote:
> >Michael Pobega writes:
> >> Is it a bad practice to verify keyrings of people on the mailing list,
> >> or
> >> is it better to wait until I meet up with some of them at say Debconf or
> >> something similar?
> >
> >Depends on what you mean by "verify". There is nothing wrong with
> >downloading their public keys and using them to verify that all the
> >messages purporting to come from them are indeed signed with the same key
> >and so probably did come from the same person. However, you should not
> >sign someone's key unless you have met them, interviewed them, and
> >examined
> >and verified their credentials.
> >
>
> What exactly is signing a key, and how does it work?
>
> I'd Google it...but I wouldn't know where to start.
> ----------------------------------------------------------------
>
> While we're still on this, why do most of your (Debian-users-who-sign)
> emails show up in OE with the signature and the email text as attachments?
> It seems whether I use GPG or a Thawte cert, they still don't show up as
> attachments. Are you doing something "special" to make them show up that
> way, and I assume there's something desirable about doing it that way -
> please tell me. Makes it hostile to REPLY TO, at least with OE. I suppose
> the problem is with OE, but I'd still like to understand what's happening.
> THANKS! - John
There are 2 kinds of signatures: in-line and attachment. Most folks here
us attachment. I specify in-line, if the mailing list doesnt allow
attachments. IIRC there was one OE thing for handling digital
signatures, not that I've used OE in like 10 years...
- --
| .''`. == Debian GNU/Linux == | my web site: |
| : :' : The Universal |mysite.verizon.net/kevin.mark/|
| `. `' Operating System | go to counter.li.org and |
| `- http://www.debian.org/ | be counted! #238656 |
| my keyserver: subkeys.pgp.net | my NPO: cfsg.org |
|join the new debian-community.org to help Debian! |
|_______ Unless I ask to be CCd, assume I am subscribed _______|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGEFShv8UcC1qRZVMRAkx7AJ0UKtrnBRc9qa2d2TWgfIeHsrvr/wCgglzg
g8Bs+KBN4IuVbCDXYfpVwQs=
=vT6p
-----END PGP SIGNATURE-----
--
GPG and Signing
"John Fleming" writes:
> While we're still on this, why do most of your (Debian-users-who-sign)
> emails show up in OE with the signature and the email text as
> attachments? It seems whether I use GPG or a Thawte cert, they still
> don't show up as attachments. Are you doing something "special" to
> make them show up that way, and I assume there's something desirable
> about doing it that way -
> please tell me. Makes it hostile to REPLY TO, at least with OE. I
> suppose the problem is with OE, but I'd still like to understand
> what's happening. THANKS! - John
The reason you and people who use OE see it as an attachment is
because MS is unable to implement an 11 years old standard.
This page (http://www.imc.org/smime-pgpmime.html) has a discussion about
the different standards (PGP/MIME and S/MIME) and links to the different
RFCs.
--
John L. Fjellstad
web: http://www.fjellstad.org/ Quis custodiet ipsos custodes
--
RE: GPG and Signing
John L Fjellstad wrote on Tuesday, April 03, 2007 4:58 PM -0500:
> The reason you and people who use OE see it as an attachment is
> because MS is unable to implement an 11 years old standard.
> This page (http://www.imc.org/smime-pgpmime.html) has a discussion
> about the different standards (PGP/MIME and S/MIME) and links to the
> different RFCs.
S/MIME was intended to work with a certification authority (CA) model
based on a small number of universally trusted root CA's, while PGP
assumed a distributed web of trust model based on personal relationships
between individual users. There's no technical reason a CA can't sign a
PGP key, but this was not the intended mode of use. I suggest the
problem wasn't MS's inability to implement PGP (it's no harder than
S/MIME), but more likely they couldn't see a way to make money from it.
Instead, they built native S/MIME support into their MUA's, built a
certificate store into their operating system and bought VeriSign.
--
Seth Goodman
--
GPG and Signing
"Seth Goodman" writes:
> S/MIME was intended to work with a certification authority (CA) model
> based on a small number of universally trusted root CA's, while PGP
> assumed a distributed web of trust model based on personal
> relationships between individual users. There's no technical reason a
> CA can't sign a PGP key, but this was not the intended mode of use. I
> suggest the problem wasn't MS's inability to implement PGP (it's no
> harder than S/MIME), but more likely they couldn't see a way to make
> money from it. Instead, they built native S/MIME support into their
> MUA's, built a certificate store into their operating system and
> bought VeriSign.
Couple of points. There are lots of stuff MS does that don't make them
money. Also, I don't believe they own VeriSign.
--
John L. Fjellstad
web: http://www.fjellstad.org/ Quis custodiet ipsos custodes
--
RE: GPG and Signing
John L Fjellstad wrote on Thursday, April 05, 2007 10:43 AM -0500:
> "Seth Goodman" writes:
>
> > Instead, they built
> > native S/MIME support into their MUA's, built a certificate store
> > into their operating system and bought VeriSign.
>
> Couple of points. There are lots of stuff MS does that don't make
> them money. Also, I don't believe they own VeriSign.
Like most other companies, MS certainly does things that don't earn a
profit. Also like other companies, they generally don't support
initiatives that get in the way of other plans. SSL created a market
for trusted certificates and CA's. More importantly, it enabled casual
web commerce, which was very important to the MS vision of a web
supported by advertising and sales of products. Web commerce was much
more likely to succeed with a small number of universally trusted CA's,
whose identities are distributed with the OS, than with the ad hoc trust
networks of individual end users.
S/MIME created a second opportunity to earn profits by issuing and
serving certificates for email. PGP end users asked their associates to
assure the association between their identity and their public keys and
published signed keys on free public servers, so there was little profit
potential. The two protocols also had different audiences. S/MIME
addressed the needs of institutions that would gladly pay for
certificates if end users would trust them, while PGP was for human
rights workers that needed secure encryption but had no money, or
technical end users that favored it for personal/political reasons. One
need not invoke any bad intentions to see why S/MIME was a rational
choice by MS.
On the ownership of VeriSign, MS and VeriSign have collaborated closely,
but MS does not appear to own them. I don't recall where I got that
idea and I apologize for the error.
--
Seth Goodman
--
RE: GPG and Signing
Michael Pobega wrote on Sunday, April 01, 2007 7:32 PM -0500:
> On Sun, Apr 01, 2007 at 07:09:55PM -0500, John Hasler wrote:
> > Michael Pobega writes:
> > > Is it a bad practice to verify keyrings of people on the mailing
> > > list, or is it better to wait until I meet up with some of them
> > > at say Debconf or something similar?
> >
> > Depends on what you mean by "verify". There is nothing wrong with
> > downloading their public keys and using them to verify that all the
> > messages purporting to come from them are indeed signed with the
> > same key and so probably did come from the same person. However,
> > you should not sign someone's key unless you have met them,
> > interviewed them, and examined and verified their credentials.
> >
>
> What exactly is signing a key, and how does it work?
>
> I'd Google it...but I wouldn't know where to start.
It's a long story, but here's an attempt to make it short ...
Public key cryptography has two keys: one public and one private. They
are created as a pair and work together. The fact that you can verify a
signature against a public key says that the person who signed the
message had the private key corresponding to the public key. It says
nothing about the identity of the person who created the signature.
Public key signatures are more like notary stamps or seals than hand
signatures. It says only that the person who signed the file possessed
the seal.
To help associate a public key with a personal identity, you have to
meet someone in person, check an identity document to match a picture to
their face. The person them gives you a piece of paper with a
"fingerprint" of their public key. You can go home and affix your
digital signature to their public key certifying that you are satisfied
they are who they claim. Your signature gets added to their public key
on the keyserver, so anyone who trusts you can have some trust that this
key belongs to the person who claims it. This is how keys inherit
trust. The more signatures on your public key, the more likely it is
that a random third party knows either someone who signed your key, or
knows someone who knows someone who signed your key, etc. As others
have pointed out, this is not a guarantee of identity, but it is good
enough for most purposes.
--
Seth Goodman
--
GPG and Signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/01/07 20:59, Seth Goodman wrote:
[snip]
> trust. The more signatures on your public key, the more likely it is
> that a random third party knows either someone who signed your key, or
> knows someone who knows someone who signed your key, etc. As others
Kinda like "6 degrees of separation".
- --
Ron Johnson, Jr.
Jefferson LA USA
Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGEIMnS9HxQb37XmcRAjhYAKC5VvfjjBKOmF0FggT3jsy1L0dL4gCgnPWy
40xN11DIjpvvcOwca3jJGgA=
=K7X1
-----END PGP SIGNATURE-----
--