Verifying signatures via WWW interface
Toxik - Fabian Rodriguez
Tue May 14 00:48:02 2002
Hi Bernd, all,
I am changing this to gnupg-users, I think it's more on-topic there. What I
am trying to do is create a minimal installation to verify messages via WWW,
using gpg. Somebody mentioned trusting the server... this would happen over
SSL, but the goal is not to keep the information secret/private, but to
verify a signature (date, author, integrity of content).
Bernd, I understand what you say and I still get the same warnings.
I am storing 2 public keys in a key ring, and both are fully trusted:
- Key A, signed by B and C
- Key B, signed by A and C
Note these were signed on another system, before importing to this one. If I
use gpg --verify and input a signed text from A, I would expect this to be
OK since I set trust to full on Key B.
However, gpg tells me:
gpg: Signature made Mon 13 May 2002 06:33:47 PM EDT using DSA key ID
gpg: Good signature from "Fabian Rodriguez <email@example.com>"
gpg: aka "Fabian Rodriguez <Fabian@toxik.com>"
gpg: aka "Fabian Rodriguez <ICQ:1485512>"
Could not find a valid trust path to the key. Let's see whether we
can assign some missing owner trust values.
No path leading to one of our keys found.
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
gpg: Fingerprint: CBEA CB12 43B7 1CC9 711E 49CD 7D47 135C 5AF2 A4D5
I would appreciate any ideas, I will report back here.
Fabian Rodriguez - Toxik Technologies, Inc.
www.toxik.com . (514) 528-6945 @221
> -----Original Message-----
> From: Bernd Eckenfels [mailto:firstname.lastname@example.org]On Behalf Of Bernd
> Sent: Monday, May 13, 2002 6:25 PM
> To: Toxik - Fabian Rodriguez
> Cc: email@example.com
> Subject: Re: Verifying signatures via WWW interface
> On Mon, May 13, 2002 at 05:22:01PM -0400, Toxik - Fabian Rodriguez wrote:
> > Of course, we don't want to store a private key for this particular
> > application, what would be required to have a trust path ? The
> local keyring
> > only has public keys in this example.
> You can eighter ignore the message or lsign all your keys in the
> keying with
> a "trusted" key. you do not need to store the trusted key on the
> system, you
> can mark a public key as trusted. this is used like this:
> a) user sends you key, you verify it and sign it
> b) you store the signed key on a automatic signature checking device. in
> order to avoid to have to store your signature generating key on
> that device
> you just place the public key there and mark it trusted. this has the
> advantage (over blindly trusting al keys in keyring) that adding
> keys to the
> keyring is not a priveledged application and does not need a
> trusted channel
> to the verifier.
> hope this is clear, i use this for a B2Bi Server which is able to check
> incoming messages from trading partners and decides if they are
> known, based
> on a "accept" lsign from operating staff. this even works with a