Verifying signatures via WWW interface

Leigh S. Jones, KR6X kr6x@kr6x.com
Tue May 14 01:29:01 2002


Here are two options listed in the gpg.man file that might
be of some use to you.

--trusted-key long key ID
                 Assume  that  the  specified  key (which must be
                 given as a  full 8 byte key ID) is as  trustwor­
                 thy  as one of your own secret keys. This option
                 is useful if you don't want to keep your  secret
                 keys  (or  one of them) online but still want to
                 be able to check the validity of a given recipi­
                 ent's or signator's key.
--always-trust
                 Skip key validation and assume  that  used  keys
                 are  always  fully  trusted.  You won't use this
                 unless you have installed some external  valida­
                 tion scheme.

----- Original Message -----
From: "Toxik - Fabian Rodriguez" <Fabian.Rodriguez@Toxik.com>
To: <gnupg-users@gnupg.org>
Sent: Monday, May 13, 2002 15:46
Subject: RE: Verifying signatures via WWW interface


>
> Hi Bernd, all,
>
> I am changing this to gnupg-users, I think it's more on-topic there. What
I
> am trying to do is create a minimal installation to verify messages via
WWW,
> using gpg. Somebody mentioned trusting the server... this would happen
over
> SSL, but the goal is not to keep the information secret/private, but to
> verify a signature (date, author, integrity of content).
>
> Bernd, I understand what you say and I still get the same warnings.
>
> I am storing 2 public keys in a key ring, and both are fully trusted:
> - Key A, signed by B and C
> - Key B, signed by A and C
>
> Note these were signed on another system, before importing to this one. If
I
> use gpg --verify and input a signed text from A, I would expect this to be
> OK since I set trust to full on Key B.
>
> However, gpg tells me:
>
> gpg: Signature made Mon 13 May 2002 06:33:47 PM EDT using DSA key ID
> 5AF2A4D5
> gpg: Good signature from "Fabian Rodriguez <fabian.rodriguez@toxik.com>"
> gpg:                 aka "Fabian Rodriguez <Fabian@toxik.com>"
> gpg:                 aka "Fabian Rodriguez <ICQ:1485512>"
> Could not find a valid trust path to the key.  Let's see whether we
> can assign some missing owner trust values.
>
> No path leading to one of our keys found.
>
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> gpg: Fingerprint: CBEA CB12 43B7 1CC9 711E  49CD 7D47 135C 5AF2 A4D5
>
> I would appreciate any ideas, I will report back here.
>
> Thank you,
>
> Fabian Rodriguez - Toxik Technologies, Inc.
> www.toxik.com . (514) 528-6945 @221
> OpenPGP: 0x5AF2A4D5
>
> > -----Original Message-----
> > From: Bernd Eckenfels [mailto:ecki@lina.inka.de]On Behalf Of Bernd
> > Eckenfels
> > Sent: Monday, May 13, 2002 6:25 PM
> > To: Toxik - Fabian Rodriguez
> > Cc: gnupg-devel@gnupg.org
> > Subject: Re: Verifying signatures via WWW interface
> >
> >
> > On Mon, May 13, 2002 at 05:22:01PM -0400, Toxik - Fabian Rodriguez
wrote:
> > > Of course, we don't want to store a private key for this particular
> > > application, what would be required to have a trust path ? The
> > local keyring
> > > only has public keys in this example.
> >
> > You can eighter ignore the message or lsign all your keys in the
> > keying with
> > a "trusted" key. you do not need to store the trusted key on the
> > system, you
> > can mark a public key as trusted. this is used like this:
> >
> > a) user sends you key, you verify it and sign it
> > b) you store the signed key on a automatic signature checking device. in
> > order to avoid to have to store your signature generating key on
> > that device
> > you just place the public key there and mark it trusted. this has the
> > advantage (over blindly trusting al keys in keyring) that adding
> > keys to the
> > keyring is not a priveledged application and does not need a
> > trusted channel
> > to the verifier.
> >
> > hope this is clear, i use this for a B2Bi Server which is able to check
> > incoming messages from trading partners and decides if they are
> > known, based
> > on a "accept" lsign from operating staff. this even works with a
> > keyserver.
> >
> > Greetings
> > Bernd
> >
> >
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>