RE: GPG and Signing

To: <debian-user@lists.debian.org>
Subject: RE: GPG and Signing
From: "Seth Goodman" <sethg@goodmanassociates.com>
Date: Sun, 1 Apr 2007 20:59:25 -0500
Message-id: <[🔎] MHEGIFHMACFNNIMMBACAMEDAOPAA.sethg@goodmanassociates.com>
Reply-to: <sethg@goodmanassociates.com>
In-reply-to: <[🔎] 20070402003219.GB24096@localhost>

Michael Pobega wrote on Sunday, April 01, 2007 7:32 PM -0500:

> On Sun, Apr 01, 2007 at 07:09:55PM -0500, John Hasler wrote:
> > Michael Pobega writes:
> > > Is it a bad practice to verify keyrings of people on the mailing
> > > list, or is it better to wait until I meet up with some of them
> > > at say Debconf or something similar?
> >
> > Depends on what you mean by "verify".  There is nothing wrong with
> > downloading their public keys and using them to verify that all the
> > messages purporting to come from them are indeed signed with the
> > same key and so probably did come from the same person.  However,
> > you should not sign someone's key unless you have met them,
> > interviewed them, and examined and verified their credentials.
> >
>
> What exactly is signing a key, and how does it work?
>
> I'd Google it...but I wouldn't know where to start.

It's a long story, but here's an attempt to make it short ...

Public key cryptography has two keys:  one public and one private.  They
are created as a pair and work together.  The fact that you can verify a
signature against a public key says that the person who signed the
message had the private key corresponding to the public key.  It says
nothing about the identity of the person who created the signature.
Public key signatures are more like notary stamps or seals than hand
signatures.  It says only that the person who signed the file possessed
the seal.

To help associate a public key with a personal identity, you have to
meet someone in person, check an identity document to match a picture to
their face.  The person them gives you a piece of paper with a
"fingerprint" of their public key.  You can go home and affix your
digital signature to their public key certifying that you are satisfied
they are who they claim.  Your signature gets added to their public key
on the keyserver, so anyone who trusts you can have some trust that this
key belongs to the person who claims it.  This is how keys inherit
trust.  The more signatures on your public key, the more likely it is
that a random third party knows either someone who signed your key, or
knows someone who knows someone who signed your key, etc.  As others
have pointed out, this is not a guarantee of identity, but it is good
enough for most purposes.

--
Seth Goodman

Reply to:

Follow-Ups:
- Re: GPG and Signing
  - From: Ron Johnson <ron.l.johnson@cox.net>

References:
- Re: GPG and Signing
  - From: Michael Pobega <pobega@gmail.com>

Prev by Date: Re: Accessing berkely database files
Next by Date: 'don't have permission to access" of mediwiki1.7 with apache2
Previous by thread: RE: GPG and Signing
Next by thread: Re: GPG and Signing
Index(es):
- Date
- Thread