[kdepim-users] Fingerprint: where?

Kishore kitts.mailinglists at gmail.com
Wed Jan 7 07:50:06 GMT 2009


On Wednesday 07 Jan 2009 12:40:36 am Tom Emerson wrote:
> ----- Original Message ----
>
> From: Anne Wilson <cannewilson at googlemail.com>
> On Tuesday 06 January 2009 13:04:30 Kishore wrote:
> [...]
>
> > I tried what ingo suggested and now the message has changed. It still
> > says "not enough information to..." but has changed the details to read
> > "The signature is valid, but the key's validity is unknown". Can I fix
> > that?
>
> I don't think there is anything to fix.  I understand it to say that the
> key has not expired or been revoked, so in that sense it's valid, but the
> key has not been counter-signed by anyone prepared to say that they have
> checked that Dexter really is Dexter :-)  In that sense, the validity is
> unknown.
>
> Just my interpretation.  There might be some other explanation :-)
> ===========================
>
> that is pretty much it, except that instead of "not been countersigned by
> anyone prepared to say Dexter is Dexter", it should be "not been
> countersigned by YOU or anyone THAT YOU KNOW [or chains to someone you
> know] prepared to say..."
>
> This is the concept of "web of trust", and any decent search will turn up
> dozens of pages on the subject, but the nutshell is that in order to check
> the validity, you have to see the person face-to-face and get (and VERIFY)
> the fingerprint of their key and a reasonably sound reassurance that this
> key is indeed their key AND THEN actually "sign" their key with yours. 
> (check the command line options and/or GUI menus)  Once the key is "signed"
> by you, it needs to be refreshed on the servers and/or your keyring.  When
> you receive an item from Dexter, GPG will verify the signature is valid,
> and seeing YOUR OWN signature on that key will then indicate that the
> validity of the key is "trusted".
>
> Now, it might be difficult for you (personally) to meet up with Dexter and
> perform this key-validation exchange, so then you rely on a bit of a proxy.
>  If there is someone you know that ALSO knows Dexter, that person can sign
> Dexter's key, and you sign your friends key.  When GPG does the "trust"
> checking and fails to find your signature on the key, it will check any
> other signatures on the key.  When it finds your friends key, it will see
> that you've signed THAT key, and therefore establish a chain of trust
> between you and Dexter via your friend.
>
> Now, since it is likely that your friend will sign more than one key, your
> friend actually becomes a node within a "web" of trust -- he will likely
> have friends you've never met, but one day on you might run into a message
> signed by one of his other friends.  Because you've trusted your friend's
> judgment and ability to sign keys, GPG will automatically report on this
> signature as "trusted" even though you've never met the person
>
> [of course, if you don't really trust your friend to be all that diligent
> in signing other keys, you can indicate that as well and GPG will report
> that the key is "marginally trusted" to belong to that person]

Thanks for the explanation.
-- 
Cheers!
Kishore
_______________________________________________
KDE PIM users mailing list
kdepim-users at kde.org
https://mail.kde.org/mailman/listinfo/kdepim-users



More information about the kdepim-users mailing list