linux at codehelp.co.uk
Mon Aug 2 21:52:12 CEST 2004
On Monday 02 August 2004 7:33, F. Rodriguez wrote:
> Stuardo - StR - Rodriguez wrote:
> > 1) Can I create all the keys in a single machine to export them to the
> > other machines?
> Yes. I would create one keyring with all public keys and separate
> keyrings for the private keys on each machine.
Generating all the keys yourself is a bad idea - generating them all on one
machine (each key generated by the final user) is a practical problem. You
shouldn't expect people to trust a key generated by someone else! (Generating
a key requires setting the passphrase and it isn't wise to use a key to which
someone else has a passphrase. Even if the user changes the passphrase in
their private key, what is to say that you haven't kept an old private key
with your own passphrase? Multiple copies of private keys with different
people should be avoided.
> > 2) I do not understand the trusting thing....
That much is plain from your first question.
Try reading these:
> > If I have a key - like a super key and it y sign the other 100 keys (i
Yes. Each of those then needs to sign your key and be signed by your key. i.e.
two way signatures, A signs B and B signs A. There are keysigning protocols
Signatures are not something to be minimised, a keyholder often invests
considerable time and effort in collecting as many signatures as possible -
every signature strengthens the key and the overall web of trust.
> > think it is signing.. i just tell to "trus" the other keys) then... in
No, it's signing. Setting the trust comes afterwards - GnuPG will ignore any
user trust setting until the key itself is trusted. (In the --edit-key
output, trust is shown as two values).
> > the other pc... i have trusted the super key.... Do i need to sign the
> > other keys?
Just sign the 'super' key. However, to make the web of trust stronger, as many
users as possible should verify and sign each other's keys.
> > or when I sign the super key, I trust every single key the
> > super key has signed?
Not necessarily, but you can set it that way.
(There is no reason why any user MUST trust any key.)
> Basically, yes, if you define your model of trust to be that... But that
> is *your* decision. More on the Web of trust:
> > 3) How do i set a key server where I can search for public keys? like
Why create another one? Public keys are public and there's no harm in using a
public keyserver - there is no security issue here, public keyservers are
designed for public keys. Dump the windows mindset and embrace the community
- share your public key as widely as possible, keep your private key
> > ... in mozilla-thunderbird... I can asign which is the key server to
> > search for the keys.... I want to add there MY server instead of the ones
> > of the list:
Why? You'd be surprised how limiting that could become. Someone in the keyring
is almost certain to want to use the key to sign/encrypt outside the small
group. Once users have their own keys (and passphrases), there's nothing to
stop them signing and being signed by other keys. It should be encouraged -
it strengthens the web of trust of the entire group.
> It seems most development happens (or used to happen) around PKS:
I thought it was SKS that was most up to date (subkeys etc.)?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Url : /pipermail/attachments/20040802/29cb1b82/attachment-0001.bin
More information about the Gnupg-users