Sebastien, I read many times that key signing and, if I am not wrong, is a process that permits to you to validate a key (that is you hare sure that the owner of the key is right). Then, based on the signature, you can trust the owner of the key assigning trust level from 1 (don't know) to 4 (I trust fully). I think trusting a user key without signing is not useful as I declare that I don't know if the key is valid or not.
>From gpg mini howto (http://dewinter.com/gnupg_howto/english/GPGMiniHowto-3.html#ss3.6) " 3.6 Key signing As mentioned before in the introduction there is one major Achilles' heel in the system. This is the authenticity of public keys. If you have a wrong public key you can say bye bye to the value of your encryption. To overcome such risks there is a possibility of signing keys. In that case you place your signature over the key, so that you are absolutely positive that this key is valid. This leads to the situation where the signature acknowledges that the user ID mentioned in the key is actually the owner of that key. With that reassurance you can start encrypting. Using the gpg --edit-key UID command for the key that needs to be signed you can sign it with the sign command. You should only sign a key as being authentic when you are ABSOLUTELY SURE that the key is really authentic!!!. So if you are positive you got the key yourself (like on a key signing party) or you got the key through other means and checked it (for instance by phone) using the fingerprint-mechanism. You should never sign a key based on any assumption. Based on the available signatures and "ownertrusts" GnuPG determines the validity of keys. Ownertrust is a value that the owner of a key uses to determine the level of trust for a certain key. The values are * 1 = Don't know * 2 = I do NOT trust * 3 = I trust marginally * 4 = I trust fully If the user does not trust a signature it can say so and thus disregard the signature. Trust information is not stored in the same file as the keys, but in a separate file. " -- a key is put in "trusted keys" without it is signed https://bugs.launchpad.net/bugs/328735 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
