[kdepim-users] Fingerprint: where?

Tom Emerson osnut at pacbell.net
Tue Jan 6 19:10:36 GMT 2009 

----- Original Message ----

From: Anne Wilson <cannewilson at googlemail.com>
On Tuesday 06 January 2009 13:04:30 Kishore wrote:
[...]
> I tried what ingo suggested and now the message has changed. It still says
> "not enough information to..." but has changed the details to read "The
> signature is valid, but the key's validity is unknown". Can I fix that?

I don't think there is anything to fix.  I understand it to say that the key 
has not expired or been revoked, so in that sense it's valid, but the key has 
not been counter-signed by anyone prepared to say that they have checked that 
Dexter really is Dexter :-)  In that sense, the validity is unknown.

Just my interpretation.  There might be some other explanation :-)
===========================

that is pretty much it, except that instead of "not been countersigned by anyone prepared to say Dexter is Dexter", it should be "not been countersigned by YOU or anyone THAT YOU KNOW [or chains to someone you know] prepared to say..."

This is the concept of "web of trust", and any decent search will turn up dozens of pages on the subject, but the nutshell is that in order to check the validity, you have to see the person face-to-face and get (and VERIFY) the fingerprint of their key and a reasonably sound reassurance that this key is indeed their key AND THEN actually "sign" their key with yours.  (check the command line options and/or GUI menus)  Once the key is "signed" by you, it needs to be refreshed on the servers and/or your keyring.  When you receive an item from Dexter, GPG will verify the signature is valid, and seeing YOUR OWN signature on that key will then indicate that the validity of the key is "trusted".

Now, it might be difficult for you (personally) to meet up with Dexter and perform this key-validation exchange, so then you rely on a bit of a proxy.  If there is someone you know that ALSO knows Dexter, that person can sign Dexter's key, and you sign your friends key.  When GPG does the "trust" checking and fails to find your signature on the key, it will check any other signatures on the key.  When it finds your friends key, it will see that you've signed THAT key, and therefore establish a chain of trust between you and Dexter via your friend.

Now, since it is likely that your friend will sign more than one key, your friend actually becomes a node within a "web" of trust -- he will likely have friends you've never met, but one day on you might run into a message signed by one of his other friends.  Because you've trusted your friend's judgment and ability to sign keys, GPG will automatically report on this signature as "trusted" even though you've never met the person

[of course, if you don't really trust your friend to be all that diligent in signing other keys, you can indicate that as well and GPG will report that the key is "marginally trusted" to belong to that person]
_______________________________________________
KDE PIM users mailing list
kdepim-users at kde.org
https://mail.kde.org/mailman/listinfo/kdepim-users

More information about the kdepim-users mailing list