re. Moving from PGP to GnuPG and other questions ...

[Samuel ]slund]

On Wed, Apr 28, 2004 at 11:46:43PM -0700, Denis Green wrote:
> 
<< Loads of questions basicly about what is the difference between
Signing and trusting a key >>

I have not been active for a while but if I remember correctly you sign
keys that you have personaly verified belongs to who ever it says it
belongs to, you trust a key owner to verify keys in a good way when
signing them.

That means that any key you have signed is a key you can encrypt to.
To be able to encrypt to a key you have not signed some other key that
you have signed and who's owner you trust to verify keys correctly must
have signed that "unknown" key. Chains of these kinds of verifications
is what builds the Web of Trust.

About verifying keys before using them, there are several reasons to
import keys that you can not be shure has not been modified in
transmission. One reason is to check signatures on a mailing list, who
actuauly is writing is not as interesting as knowing that it is the same
entity all the time. Another could be that you have no way to check it
but think that some of your acquaintances has, then you can import it
and let GnuPG check if that is true, see Web of Trust.

About "Ultimate trust", I think that is GnuPG's way of knowing which
keys you know well enough to start the chains of signing.
Earlier versions did this by assuming that if the program had the secret
key it was secure enough. Using the ultimate trust setting instead allows
(among other things) a user to keep the secret key in a secure place and
still use the public key to start a chain in the web of trust.

HTH
//Samuel