[kdepim-users] Fingerprint: where?
Anne Wilson
cannewilson at googlemail.com
Tue Jan 6 20:55:14 GMT 2009
On Tuesday 06 January 2009 19:10:36 Tom Emerson wrote:
> ----- Original Message ----
>
> From: Anne Wilson <cannewilson at googlemail.com>
> On Tuesday 06 January 2009 13:04:30 Kishore wrote:
> [...]
>
> > I tried what ingo suggested and now the message has changed. It still
> > says "not enough information to..." but has changed the details to read
> > "The signature is valid, but the key's validity is unknown". Can I fix
> > that?
>
> I don't think there is anything to fix. I understand it to say that the
> key has not expired or been revoked, so in that sense it's valid, but the
> key has not been counter-signed by anyone prepared to say that they have
> checked that Dexter really is Dexter :-) In that sense, the validity is
> unknown.
>
> Just my interpretation. There might be some other explanation :-)
> ===========================
>
> that is pretty much it, except that instead of "not been countersigned by
> anyone prepared to say Dexter is Dexter", it should be "not been
> countersigned by YOU or anyone THAT YOU KNOW [or chains to someone you
> know] prepared to say..."
>
> This is the concept of "web of trust", and any decent search will turn up
> dozens of pages on the subject, but the nutshell is that in order to check
> the validity, you have to see the person face-to-face and get (and VERIFY)
> the fingerprint of their key and a reasonably sound reassurance that this
> key is indeed their key AND THEN actually "sign" their key with yours.
> (check the command line options and/or GUI menus) Once the key is "signed"
> by you, it needs to be refreshed on the servers and/or your keyring. When
> you receive an item from Dexter, GPG will verify the signature is valid,
> and seeing YOUR OWN signature on that key will then indicate that the
> validity of the key is "trusted".
>
> Now, it might be difficult for you (personally) to meet up with Dexter and
> perform this key-validation exchange, so then you rely on a bit of a proxy.
> If there is someone you know that ALSO knows Dexter, that person can sign
> Dexter's key, and you sign your friends key. When GPG does the "trust"
> checking and fails to find your signature on the key, it will check any
> other signatures on the key. When it finds your friends key, it will see
> that you've signed THAT key, and therefore establish a chain of trust
> between you and Dexter via your friend.
>
> Now, since it is likely that your friend will sign more than one key, your
> friend actually becomes a node within a "web" of trust -- he will likely
> have friends you've never met, but one day on you might run into a message
> signed by one of his other friends. Because you've trusted your friend's
> judgment and ability to sign keys, GPG will automatically report on this
> signature as "trusted" even though you've never met the person
>
> [of course, if you don't really trust your friend to be all that diligent
> in signing other keys, you can indicate that as well and GPG will report
> that the key is "marginally trusted" to belong to that person]
>
Excellent explanation, thanks
Anne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kdepim-users/attachments/20090106/93671563/attachment.sig>
-------------- next part --------------
_______________________________________________
KDE PIM users mailing list
kdepim-users at kde.org
https://mail.kde.org/mailman/listinfo/kdepim-users
More information about the kdepim-users
mailing list