Ken Moffat wrote: > On Fri, Nov 18, 2011 at 04:09:07PM -0600, Bruce Dubbs wrote: >> See if http://www.gnupg.org/gph/en/manual.html helps. >> >> Specifically >> Validating other keys on your public keyring >> Trust in a key's owner >> Using trust to validate keys >> > Not on any of the several times I've read it - it seems to be all > about "how to trust keys after you have your own key". I feel a bit > like the 'man' users who used to complain about 'Ãnfo' - I'm probably > not asking the right question. > > If verifying keys means I need to create my own key, which is my > impression from that manual, then for the moment I'll do without. > > The key word in my request was _idiot's_ guide - I know almost > nothing about pgp, and all the documentation I've found assumes I > *want* to *sign* things - as I said earlier, with a self-signed key > that is not particularly useful.
Well, I can say you are not an idiot. Lets start: How do I know you are you? Identification is really not easy. There are things like birth certificates, passports, drivers licesnses, etc that are traditionally used to identify an individual. If you meet and work with someone for years, do you know him? Probably, but it's possible he's a deep undercover agent for xyz. In the electronic world there are basically two ways to extablish identity: a Public Key Infrastructure (PKI) and a Web of Trust W0T). In a PKI, there is a root Certificate Authority that everyone agrees to trust. If your certificate is signed by the CA, then everybody trusts it, unless it is expired or revoked. That's the model for web servers. There are CAs for Verisign and the like. If you trust them, then you trust that they verified the identity of those certificates they signed. If not, then those signed certs are meaningless. In a WoT there is no single authority, but a lot if transitive relationships. A trusts B and B vouches for C, so A trusts C. The WoT can be quite complicated as there are degrees of trust. How sure is A that he trusts B? A lot? Some? A little? The idea behind the WoT is that you get together, face to face, with others and sign each other's certificates. That trust relationship is uploaded to a key server where others can use the fact that A trusts B to establish how much trust to give D, E, and F. To use PGP, you do need to create a key, but you can keep it local. You don't have to trust anyone else, but then you can't really use the PGP key to do things other than encrypt or sign things for yourself. If someone puts a signature on one website (e.g. a keyserver) and signs a tarball that's on another site, then a bad guy has to break into both sites to compromise the keys. Since the keys are distributed over multiple sites, that's even harder. One simple thing that can be done is to check that product (tarball, etc) is properly signed by *some* key. Trusting that it is the correct key is up to you. It all boils down to how much verification do you need? For the WoT, you have to decide what's good enough. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
