Re: signing mails using gnupg

To: Debian User <debian-user@lists.debian.org>
Subject: Re: signing mails using gnupg
From: "Karl E. Jorgensen" <karl@jorgensen.com>
Date: Wed, 13 Nov 2002 22:48:35 +0000
Message-id: <[🔎] 20021113224835.GA4923@e-jorgensen.freeserve.co.uk>
Mail-followup-to: Debian User <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20021113191359.GA26599@bapat.net>
References: <[🔎] 20021113092838.GA3092@deshmukh.work> <[🔎] 20021113112430.GB14754@e-jorgensen.freeserve.co.uk> <[🔎] 20021113150801.GL20720@thebox.home.local> <[🔎] 20021113191359.GA26599@bapat.net>

[please don't top-quote]
On Wed, Nov 13, 2002 at 11:13:59AM -0800, Expert User wrote:
> On Thu, Nov 14, 2002 at 02:08:02AM +1100, Rob Weir wrote:
> > On Wed, Nov 13, 2002 at 11:24:30AM +0000, Karl E. Jorgensen wrote:
> > > b)  They must trust that you are actually the keeper of the
> > >     corresponding secret key. This means physically meeting people and
> > >     collecting signatures on your key from other people (web-of-trust).
> > >     This is the hard and time-consuming bit...
> > 
> > This bit is really, really important.  Do not sign anyone's key unless
> > you've physically met them and are sure they are who they claim they
> > are.  If you don't take it seriously then you'll hurt the web of trust.
> > That said, keysigning is an excellent excuse to meet up with local
> > geeks:)
> > 
> > -rob
> 
> 
> The one part I have not quite understood is how do I 'collect'
> signatures physically?

Basically you find somebody else who has a key and:

- Prove that you are who you say you are. This requires some official
  ID, e.g. a passport.

- Prove that you are the keeper of your private key - e.g. by being able
  to decrypt documents encrypted with the corresponding public key. 

- Hand-over the key fingerprint

That should be enough for somebody to sign your key. They would do this
by:
- Getting hold of your public key
- Checking that the fingerprint matches
- Signing your public key with their private key
- Sending your (now signed) public key to you (usually in a mail
  encrypted by to your key)
- You then import that key and thus import the new signature
- You Upload your public key (with the new signatures) to keyservers

Usually it's a two-way process - A signs B's key and vice versa
(provided that the conditions above are met).

The above is just a very short (and probably inaccurate) summary. Read
the real thing to get the (much more authorative) full story:

    http://www.cryptnet.net/fdp/crypto/gpg-party.html

HTH
-- 
Karl E. Jørgensen
karl@jorgensen.com        http://karl.jorgensen.com
==== Today's fortune:
The truth of a proposition has nothing to do with its credibility.  And
vice versa.

Attachment: pgpB163EP4gFu.pgp
Description: PGP signature

Reply to:

References:
- signing mails using gnupg
  - From: Sandip P Deshmukh <deshmukh@escortsmumbai.com>
- Re: signing mails using gnupg
  - From: "Karl E. Jorgensen" <karl@jorgensen.com>
- Re: signing mails using gnupg
  - From: Rob Weir <rweir@softhome.net>
- Re: signing mails using gnupg
  - From: expert@bapat.net (Expert User)

Prev by Date: Re: Need help ?
Next by Date: Re: Use of telinit by regular users
Previous by thread: Re: signing mails using gnupg
Next by thread: automatic shutdown on heat problem
Index(es):
- Date
- Thread