[Enigmail] Signing a Public Key

Faramir faramir.cl at gmail.com
Wed Nov 19 10:03:28 PST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi!

Carlos Williams escribió:
> I am confused as to the signing a public key process. Me and my
> coworker both exchanged public keys locally on our machines and
> they're listed in Enigmail. Now in order to have a proper trust, am I
> using my personal key for signing?

  Right. Each time you sign something, you are using your private key to
make the signature. And when you sign a public key (a key belonging to
another person), you are required to ask a few questions:

1.- How carefully have you verified that the key you are going to sign
belongs to the person(s) named above? (that means, are you sure the key
belongs to the guy you think it belongs, and how sure are you about the
guy is really named that way?)

  If you chose "I will not answer", you are saying you don't care too
much about that (each time I have answered that, I couldn't complete the
signing process).
  "I have not checked it at all", well, I am not sure if I have been
able to sign a key after answering that, but if you have not checked,
there is no point in signing it, IMHO.
  "I have done casual checking". It means something like: "I have
checked it somehow, but I didn't got the key in a face to face meeting".
Let's say I received a message from somebody saying his name is George
W. Bush. I can reply with an encrypted message, to the email address he
provided, and if he can reply the message (answering a question I sent
him in the encrypted message), I can know the person in control of the
email account, is also in control of that key. But I don't know if I am
talking with the President of USA, or with somebody impersonating him.
And I suppose there is always a small chance about having a Man in the
Middle attack (I send the message, encrypted to the MitM's key, he
receives it, decrypt it, encrypt it to my intended recipient key, and
send him the message... or maybe he replies to me...). I think this
answer is useful to sign keys bound to a nickname, instead of a real
name... but that is just MY opinion...

  "I have done very careful checking" Usually, that means you received
the key ID and fingerprint in a "secure" way (probably, handled by hand
by the key owner), and also you have checked the key owner identity...
Or at least, that is an interpretation of that option...

  Please consider OpenPGP gives you these options to provide several
levels of "how sure are you about...", but it doesn't provide tell you
what is a casual checking, or what does "careful checking" mean... It is
up to you to decide how careful is "careful"... and how casual is
"casual". Usually, I try to use the commonly accepted levels of
verification (well, what _I think_ is the commonly accepted levels of
verification), since I don't want other people to think "this guy signs
everything that comes into his hands... like if he was signing autographs".

  And that brings us to the last option available in that screen: the
Local Signature checkbox. If you select that option, your signature
won't be exported, even if you upload the signed key to a keyserver... I
think it is the most useful option, since it allows me to fully trust
the key, but at the same time, it doesn't let other people see what I
think about that key... so nobody will say "hey, I trusted that key
because I saw Faramir.cl had signed it, and now I discovered it was a
fake identity..." (well, I don't think people would trust a key just
because I have signed it, but you know what I mean).

  I will use my key as an example. If "BOB" signs my key, other people
could think "ah, since I trust BOB signatures, no doubt that key belongs
to Faramir, son of Denethor, Seneschal of Gondor... and to think I
always thought he was just a fiction character...". But maybe what BOB
tried to show, when he signed my key, was "I trust that key belongs to
Faramir.cl, a guy I have just seen writing in GPG related lists -in
fact, maybe he is not a guy, but a very intelligent ape- but I really
think this key belongs to whoever is writing these messages."

  Local signatures also have some disadvantages: if BOB has exchanged a
lot of encrypted messages with me, he could be reasonably sure I have
control of the key, and a level 2 signature (the "casual checking"
option), he could let other people know he has checked I can read and
reply encrypted messages sent to me, even if he is still unsure I am not
an ape...

  By the way, you can learn more about OpenPGP if you join GnuPG-users
list, or PGP-Basic list (that one is an email list in yahoogroups.com ).
 But I am not saying you should not ask this kind of questions in this
list, I am nobody to opine on that matter. I would give you the
addresses to join those lists, but I really don't remember them right now...

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJJJFTwAAoJEMV4f6PvczxAjZcIAKBENqOKcHjJwTTKQd8ZBU6V
f6M3yNxV7zXXOhHJ5JfNtWTFT8TGRcy4NycYhtUefmzoPADhbjVKL67TbUur8Goe
MQYJrdnG+ww47UdkxrOjyiaVNz0gMWpuOJLViKVqYzs5jq0qYRHVTvogBmwvAhI9
UmkVLpOL57QbqDkSpnZmFR11N6Md7iky2YSbY4iXPwwwcD0iVrKDCJAAPDyvX0n5
AxD8xesBAchLa+CwYfLTIMSKw/l/Uv2xrtr7Nlot/hfmOqChe0K8leE+5MBzd0op
bhXfJe62lHi8z4wmtdhvgFn9AGGaukEiIa+7Poidldr2TwBMkr+lWIPCxa/p4Uo=
=Wq11
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list