KEYSERVER; Trust Model

Mike Acker Mike_Acker at
Mon Mar 21 11:08:17 CET 2011

On 03/20/2011 18:05, Jonathan Ely wrote:
> I thought it would automatically download your key, but I guess that is
> only for decrypting a message. I might be wrong on that too. I have
> never tried wownloading and importing your key but there is no harm in
> trying.
> The trust thing is really contradicting since you do not personally
> 'trust' those people, since you may have no idea who they are to begin
> with. I can go really deep, but the smart thing to do is familiarise
> one's self with the sender and only then set trust accordingly, or just
> leave things at their defaults. If people use the function procariously,
> there would really be no point having it at all.

"automatically download key:" mine doesn't: I have to click the DETAILS
switch and select the options to download your key from the server.  I
think this is quite acceptable as I only do it once.  It will be
interesting to see what happens if I upload a REVOCATION certificate to
the key server.  we will find out

have you tried downloading my key?  you can easily delete it later if
you like: the key management dialog that is part of Thunderbird/ENIGMAIL
-- is better than either GPA or Kleo. Key-ID:30ABC33A

you stated you were getting a "BAD KEY" message.  Has that resolved?

        Trust Models

If you were going to use PGP only for communication between yourself and
a few friends in a manner in which you could personally exchange keys
there would be no need for trust models

but for example, suppose we are administering communication security for
a slightly larger group, 20 folks or more and we have members who come
and go...

when a new person, let's call him "Tom" joins the group he will meet
with the group security person (GSP).

The GSP will help Tom to setup his ENIGMAIL. after Tom has generated his
keypair he will provide the GSP with a copy of his new Public Key.  The
GSP will sign Tom's key and provide that to the other group members.

The other group members will recognize the GSP's signature on Tom's key
and this is the signal that it is OK to communicate with Tom.

But what if Tom leaves the group?  The GSP will issue a revoke certificate.

The caching of local certificates here concerns me though: how to we
make sure that: if the group members obtain Tom's key from the server:
each time Tom's key is referenced ENIGMAIL needs to check the server for
a possible revoke certificate.  I need to work through this process so I
understand it thoroughly.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110321/02d08dfd/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110321/02d08dfd/attachment.pgp>

More information about the Gnupg-users mailing list