On Tue, Mar 26, 2002 at 01:17:10PM +0200, [EMAIL PROTECTED] wrote: > One more question popped in my mind; when GnuPG automagicly fetches > a key of some person and verifies it, it goes to the key list (I mean, > that I can check it out with 'gpg --list-keys'). Does this mean, that > it is signed? If it does, is it lsigned or signed for export?
Like I said, I'm not a GnuPG expert, but... No, it won't sign a key. To sign a key, use gpg --sign-key (to sign for export, which you shouldn't do until you know what you're doing), or gpg --lsign-key (to sign a key locally). > Because I have a *lots* of keys now, which I can view ith --list-keys > option for gpg... and I'm not so experienced yet, that I could tell > if they are signed or not. You have no proof that the key you downloaded actually belongs to the owner, so there is no justification for signing it. Signing the key says "I am 100% sure that this key belongs to the true owner". For example, let's say that there is a guy that we both know, called Fred Bloggs. He hasn't uploaded a key to the keyserver. I create a key containing his email address and upload it to the server. I then spoof a mail to you, that appears to come from Fred, and is signed with "his" key. You download the key, and validate "his" his message. You also sign his key. Now your web-of-trust is broken. AIUI, signing for export says "I am willing to tell anyone that if they trust my key, then they should also trust this person's key". Other people could then decide to trust your judgement on signing keys, and use your signature equivalent to their own. This is why you shouldn't sign for export unless you *really* know what you're doing. -- David Smith Work Email: [EMAIL PROTECTED] STMicroelectronics Home Email: [EMAIL PROTECTED] Bristol, England
