Verifying signatures via WWW interface
Leigh S. Jones, KR6X
Tue May 14 01:29:01 2002
Here are two options listed in the gpg.man file that might
be of some use to you.
--trusted-key long key ID
Assume that the specified key (which must be
given as a full 8 byte key ID) is as trustwor
thy as one of your own secret keys. This option
is useful if you don't want to keep your secret
keys (or one of them) online but still want to
be able to check the validity of a given recipi
ent's or signator's key.
Skip key validation and assume that used keys
are always fully trusted. You won't use this
unless you have installed some external valida
----- Original Message -----
From: "Toxik - Fabian Rodriguez" <Fabian.Rodriguez@Toxik.com>
Sent: Monday, May 13, 2002 15:46
Subject: RE: Verifying signatures via WWW interface
> Hi Bernd, all,
> I am changing this to gnupg-users, I think it's more on-topic there. What
> am trying to do is create a minimal installation to verify messages via
> using gpg. Somebody mentioned trusting the server... this would happen
> SSL, but the goal is not to keep the information secret/private, but to
> verify a signature (date, author, integrity of content).
> Bernd, I understand what you say and I still get the same warnings.
> I am storing 2 public keys in a key ring, and both are fully trusted:
> - Key A, signed by B and C
> - Key B, signed by A and C
> Note these were signed on another system, before importing to this one. If
> use gpg --verify and input a signed text from A, I would expect this to be
> OK since I set trust to full on Key B.
> However, gpg tells me:
> gpg: Signature made Mon 13 May 2002 06:33:47 PM EDT using DSA key ID
> gpg: Good signature from "Fabian Rodriguez <email@example.com>"
> gpg: aka "Fabian Rodriguez <Fabian@toxik.com>"
> gpg: aka "Fabian Rodriguez <ICQ:1485512>"
> Could not find a valid trust path to the key. Let's see whether we
> can assign some missing owner trust values.
> No path leading to one of our keys found.
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> gpg: Fingerprint: CBEA CB12 43B7 1CC9 711E 49CD 7D47 135C 5AF2 A4D5
> I would appreciate any ideas, I will report back here.
> Thank you,
> Fabian Rodriguez - Toxik Technologies, Inc.
> www.toxik.com . (514) 528-6945 @221
> OpenPGP: 0x5AF2A4D5
> > -----Original Message-----
> > From: Bernd Eckenfels [mailto:firstname.lastname@example.org]On Behalf Of Bernd
> > Eckenfels
> > Sent: Monday, May 13, 2002 6:25 PM
> > To: Toxik - Fabian Rodriguez
> > Cc: email@example.com
> > Subject: Re: Verifying signatures via WWW interface
> > On Mon, May 13, 2002 at 05:22:01PM -0400, Toxik - Fabian Rodriguez
> > > Of course, we don't want to store a private key for this particular
> > > application, what would be required to have a trust path ? The
> > local keyring
> > > only has public keys in this example.
> > You can eighter ignore the message or lsign all your keys in the
> > keying with
> > a "trusted" key. you do not need to store the trusted key on the
> > system, you
> > can mark a public key as trusted. this is used like this:
> > a) user sends you key, you verify it and sign it
> > b) you store the signed key on a automatic signature checking device. in
> > order to avoid to have to store your signature generating key on
> > that device
> > you just place the public key there and mark it trusted. this has the
> > advantage (over blindly trusting al keys in keyring) that adding
> > keys to the
> > keyring is not a priveledged application and does not need a
> > trusted channel
> > to the verifier.
> > hope this is clear, i use this for a B2Bi Server which is able to check
> > incoming messages from trading partners and decides if they are
> > known, based
> > on a "accept" lsign from operating staff. this even works with a
> > keyserver.
> > Greetings
> > Bernd
> Gnupg-users mailing list