Verifying signatures via WWW interface

Toxik - Fabian Rodriguez Fabian.Rodriguez@Toxik.com
Tue May 14 00:48:02 2002


Hi Bernd, all,

I am changing this to gnupg-users, I think it's more on-topic there. What I
am trying to do is create a minimal installation to verify messages via WWW,
using gpg. Somebody mentioned trusting the server... this would happen over
SSL, but the goal is not to keep the information secret/private, but to
verify a signature (date, author, integrity of content).

Bernd, I understand what you say and I still get the same warnings.

I am storing 2 public keys in a key ring, and both are fully trusted:
- Key A, signed by B and C
- Key B, signed by A and C

Note these were signed on another system, before importing to this one. If I
use gpg --verify and input a signed text from A, I would expect this to be
OK since I set trust to full on Key B.

However, gpg tells me:

gpg: Signature made Mon 13 May 2002 06:33:47 PM EDT using DSA key ID
5AF2A4D5
gpg: Good signature from "Fabian Rodriguez <fabian.rodriguez@toxik.com>"
gpg:                 aka "Fabian Rodriguez <Fabian@toxik.com>"
gpg:                 aka "Fabian Rodriguez <ICQ:1485512>"
Could not find a valid trust path to the key.  Let's see whether we
can assign some missing owner trust values.

No path leading to one of our keys found.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
gpg: Fingerprint: CBEA CB12 43B7 1CC9 711E  49CD 7D47 135C 5AF2 A4D5

I would appreciate any ideas, I will report back here.

Thank you,

Fabian Rodriguez - Toxik Technologies, Inc.
www.toxik.com . (514) 528-6945 @221
OpenPGP: 0x5AF2A4D5

> -----Original Message-----
> From: Bernd Eckenfels [mailto:ecki@lina.inka.de]On Behalf Of Bernd
> Eckenfels
> Sent: Monday, May 13, 2002 6:25 PM
> To: Toxik - Fabian Rodriguez
> Cc: gnupg-devel@gnupg.org
> Subject: Re: Verifying signatures via WWW interface
>
>
> On Mon, May 13, 2002 at 05:22:01PM -0400, Toxik - Fabian Rodriguez wrote:
> > Of course, we don't want to store a private key for this particular
> > application, what would be required to have a trust path ? The
> local keyring
> > only has public keys in this example.
>
> You can eighter ignore the message or lsign all your keys in the
> keying with
> a "trusted" key. you do not need to store the trusted key on the
> system, you
> can mark a public key as trusted. this is used like this:
>
> a) user sends you key, you verify it and sign it
> b) you store the signed key on a automatic signature checking device. in
> order to avoid to have to store your signature generating key on
> that device
> you just place the public key there and mark it trusted. this has the
> advantage (over blindly trusting al keys in keyring) that adding
> keys to the
> keyring is not a priveledged application and does not need a
> trusted channel
> to the verifier.
>
> hope this is clear, i use this for a B2Bi Server which is able to check
> incoming messages from trading partners and decides if they are
> known, based
> on a "accept" lsign from operating staff. this even works with a
> keyserver.
>
> Greetings
> Bernd
>
>