[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Kmail and gpg

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> so you have to do
> gpg --edit-key <email-address>
> Command> sign
> Command> trust
> Command> save

No!  You should only ever sign a key if you can be sure the key belongs to the 
person who claims to own it.  This generally means you have received the key 
(or its fingerprint) through a non-electronic medium - such as in person on a 
slip of paper - and you have verified the identify of its owner, such as by 
checking a drivers' license or passport.

The whole point of key signing is to get around the problem of verifying whose 
keys are whose, which is the weakest point of this particular cryptographic 
system.

Please read the GnuPG docs (package gnupg-doc) for details.  In particular, 
you should read through section 3.6 of the mini-HOWTO (the section on key 
signing).

Ben.

- -- 

Ben Burton
benb@acm.org  |  bab@debian.org
Public Key: finger bab@db.debian.org

Paradoxically though it may seem, it is none the less true that life
imitates art far more than art imitates life.
	- Oscar Wilde

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9nENUMQNuxza4YcERAmUrAJ4zIeBgoKffB8vVfer9Hl90kRtDWgCaA4lr
IBwXaWHuopJekoDnbfHulEk=
=X+3p
-----END PGP SIGNATURE-----
Reply to: