re. Moving from PGP to GnuPG and other questions ...

Dennis Lambe Jr. malsyned at uofr.net
Thu Apr 29 15:30:04 CEST 2004


On Thu, 2004-04-29 at 02:46, Denis Green wrote:
> A little confused here.
> 
> Is sign = Trust ? or 

no.

> Because when I use the "edit" function from GPG Keys
> window, I get a help list, which has both sign and trust as
> separate commands. Keys that I sign seem to be the ones I
> am allowed to encrypt to ? (am I right there ?)

Signing a key means that you believe that the key belongs to the person
it says it does.  Trusting a key means you trust that person's
competency in signing other keys.

If you don't sign a key, you may still be able to encrypt to it if you
trust someone who has signed that key.

> 4/
> Don't we import public keys - basically to encrypt to them
> (i.e.) with an intention to use them. How else would a
> public key get into my key ring ? (without me getting a
> public key block and me importing it by certain willful
> actions, without me searching the key servers and importing
> etc.. etc..)
> 
> so why should I go through another process of signing a key ?
> 
> (i.e.) forgetting the cryptography involved behind the
> process of signing, as a user, why should I do a second
> action (call it signing or stamping or whatever **after** 
> willfully importing a public key ?

The mistake you're making is assuming that you always have to sign a key
to encrypt to it.  This is not the case.  You have to /either/ sign the
key /or/ trust one of its signers.  Let's take a real-world example:

You have downloaded Lewis Powell's key (72007281), and then signed it
(after duly verifying that it actually belongs to him via, for example,
meeting him at a key-signing party and personally checking his
government-issued ID and his key fingerprint).  You know Lewis, and you
know that he will only sign a key if he has made sure that it belongs to
the person it says it does, so you've assigned him full trust (4).

You get an email from me, Dennis Lambe (F53BA904).  You download my key
from a keyserver in order to verify the signature.  Since you trust
Lewis, and Lewis has signed my key, you don't need to sign my key in
order to be confident that I am who I say I am.  GPG will not complain
that it can't be sure the key really belongs to me, since it knows Lewis
is sure, and it knows that you trust Lewis's diligence at signing keys.

This is all necessary because without either checking that the person
who owns the key matches the name on the key, or trusting someone who
has, there's really no telling who uploaded the key to the key server. 
I could create a key right now with a UID of "Dennis Green
<rainman at hot.aarg.net>" and post it to a keyserver.  If GPG let anyone
encrypt to that key without a further verification step, then I could
read all your email (and you couldn't).

I hope that clears things up.

--D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 279 bytes
Desc: This is a digitally signed message part
Url : /pipermail/attachments/20040429/c3cbbcb8/attachment.bin


More information about the Gnupg-users mailing list