D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] GPG confusion



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 24 Jun 2002 9:55 pm, Theo Zourzouvillys wrote:

make sure you sign it, too. if you want to know my fingerprint - it's:

Would I have to export my public key again after signing your key? If so, does 
the new key keep the same key ID?

How does me signing your key affect your key? I've imported keys from people 
whose keys have been signed by other members of my public ring and the 
signature shows up in their imported key, even if I haven't imported the key 
from the people who have actually signed the key. I can't see how this works:

When I import the key for A, I can see that it has been signed twice, once by 
someone already in my public ring, B. The other signature just gives the key 
ID [unknown user]. So B has signed A's key but A's key appears to have 
changed (otherwise I couldn't see the two signatures). How? B has signed A's 
key on his own computer - remote from A's computer, does the keyserver act as 
an intermediary??? How can A's key be changed from B's computer?

If I import a key, C, from a text file on a website rather than from the 
keyserver, would I miss out on signature data? (e.g. if B has also signed C's 
key, how can that information be included in the exported ASCII public key 
for C?)

(BTW: Is there a problem with your fingerprint being available to anyone via 
the DCLUG website?)

How carefully have you verified the key you are about to sign actually
belongs to the person named above?  If you don't know what to answer, enter
"0".

   (0) I will not answer. (default)
   (1) I have not checked at all.

More info please:
If you haven't checked it at all, is signing it worthwhile? Does that dilute 
the trust?

Please decide how far you trust this user to correctly
verify other users' keys (by looking at passports,
checking fingerprints from different sources...)?

Is there any way of knowing how carefully someone has checked a key they have 
signed when signing/importing their key? (I don't want to trust other keys of 
people signed by someone who hasn't checked what they are signing!)

- -- 

Neil Williams
==========
www.codehelp.co.uk
www.dclug.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9H4ERk7DVr6iX/QIRAsMzAJ49pdwKCRqtULr695gkxHjMGY+GFwCcCUqa
yboSJc0C/BkAyhLG/cIyGIM=
=O8CS
-----END PGP SIGNATURE-----


--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.


Lynx friendly