problems with trusting in key --recipient or --default-recipient

Leigh S. Jones kr6x@kr6x.com
Wed Jun 5 14:09:03 2002


GnuPG will give you those kinds of warnings because it wants
you to be aware that the mechanisms built into it are not sure
that the key actually belongs to the intended recipient.  Webs
of trust are important to the assurance that your encrypted
messages will not be decrypted by someone that you did
not intend to see the message.  Without this safeguard it
would be possible for someone to simply add a key with the
recipients name on it to your keyring and you might never
know it happened.

When you are certain that the public key belongs to a given
individual, as is the case when he hand delivers the key
to you, then you should sign the key after adding it to your
keyring.  Perhaps it will be helpful if you return the signed
key to this person.

Otherwise, it is possible to "edit" the key to add trust to
the key.  Unless it is your own key don't make it ultimately
trusted, choose a lower level of trust.  If you trust the key
marginally then gpg will not give you these warnings.

----- Original Message -----
From: <akorthaus@web.de>
To: <gnupg-users@gnupg.org>
Sent: Wednesday, June 05, 2002 3:10 AM
Subject: problems with trusting in key --recipient
or --default-recipient


> Hallo!
>
> For my first question the answer was really easy, but the second one
seems
> to be more difficult.
>
>
> > I'll leave your second question to others who know more about the
key
> > trust. I think it has to do with something about setting ultimate
trust
> > on your own key, but I'm not sure.
>
> > For the solution to your first question, are you ready for the
ultimate
> > forehead slapper?
> >
> >
> > mysqldump database | gzip | gpg --homedir /www/.gnupg -o
> >    output.gz.pgp -e --default-recipient andreas
>
> perhaps someone knows why the following problem occours, if I
> choose --recipient instead of --default-recipient(which Ive never
chosen
> somewhere, I have just tried out:-)) With --default-recipient
everything
> works without any problem, but is it correct? Because there will be
a reason
> for the following dialog in the commadnd-line, if I just
take --recipient:
>
> > >2. I did not write --recipient, but --default-recipient. I only
did so,
> > >because if I only write --recipient, there is asked:
>
> >>>gpg: Warning: using insecure memory!
> >>>Could not find a valid trust path to the key.  Let's see whether
we
> >>>can assign some missing owner trust values.
>
> >>>No path leading to one of our keys found.
>
> >>>1024g/DFF7F6EF 2002-06-03 "andreas <akorthaus@web.de>"
> >>>            Fingerprint: 0776 4804 3333 321E E4B4  366E 3ABA 3411
DFF7
> FFE7
>
> >>>It is NOT certain that the key belongs to its owner.
> >>>If you *really* know what you are doing, you may answer
> >>>the next question with yes
>
> >>>Use this key anyway?
>
> > >If I answer 'yes', everything is OK and works perfectly. Is it
correct to
> use --default-recipient, or should I
> > >worry about this? The problem is, that I will not use this in
> command-line later on, but from a PHP-Script!
>
>
> -- Andreas
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users