[clug-talk] LinuxFest - 'web of trust'.

simon simon at mungewell.org
Tue May 2 12:38:18 PDT 2006


On Tue, May 02, 2006 at 01:31:22PM -0600, Mitchell Brown wrote:
> Yup I know this - I just *had* to try it out y'know. I doubt there's some
> baddy there pretending to be you .. maybe I'm wrong!
> So I just hit sign, and then right click it and hit "Send Key to Keyserver"
> correct? That will update it?
> 
> Your fngerprint is 90B20989447C4AB91DB5E90CC0A99F2D575E8783 is that right?
> 

Hi Mitchell,
I know you're excited, but please follow convention.

You don't need to sign keys in order to encrypt messages, otherwise you
wouldn't be able to email people that you haven't met. You can encrypt
me a message without being sure that I'm me :-)

This is where the 'web of trust' comes in. Say you 'trust' Dave and Dave
has signed my key. Then you can be pretty sure that my key is really
me...

If you are in the habit of not checking before signing, then your
signiture becomes useless - or worse will be marked as a 'Don't Trust'
by people.


The email you sent me was signed, but not encrypted. IE. if I have a
trust path to your key I can be sure that it was sent (well written) by
you, but everyone can read it.

In addition to signing/encrypt the email, there is key management -
where you sign a key. I think that you're muddling these up.

My key/fingerprint are:
---
simon at slone:~$ gpg --fingerprint mungewell
pub   1024D/575E8783 2000-02-07
      Key fingerprint = 90B2 0989 447C 4AB9 1DB5  E90C C0A9 9F2D 575E
      8783
      uid                  Simon Wood <simon at mungewell.org>
      sub   1024g/16B75E59 2000-02-07
---

But do you trust that this is the real me talking????

Simon.




More information about the clug-talk mailing list