trusting public keys
Björn Persson
listor1.rombobeorn at comhem.se
Sun Sep 19 13:32:47 UTC 2004
Jeff Lee wrote:
> Would it be a safe bet for me to go ahead and mark people that I recieve email
> from on this list as trusted with gnupg? I realize that I shouldn't *sign*
> the key without meeting people or thoroughly checking out their identity.
> However, as far as I'm concerned you all should match your email addresses
> that your posting with.
Make sure you understand the difference between a trusted person and a
valid key. The ownertrust values are used when calculating how valid
keys are. Someone's signature on a key can make the key valid, but only
if you trust the person who signed it. So you mark a person as trusted
if you're confident that he/she has no malicious intent and that he/she
knows to check that a key is authentic before signing it.
To be able to verify that one email is from the same person as another
email, sign the key is what you want to do. I suggest that you make a
non-exportable signature (that is, for your own use only), and when
asked how well you have checked the key you choose "1", which is
recommended for pseudonyms.
Björn Persson
More information about the users
mailing list