[Enigmail] Hello, signature test

LeRoy Cressy ldc at lrcressy.com
Sun Sep 7 08:53:44 PDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Robert J. Hansen wrote:
> John W. Moore III wrote:
>> All 'Untrusted' means is that I haven't conferred any 'Trust' on Your
>> Key because, well, I don't trust You just because You have a Key and a
>> properly configured GnuPG configuration.
> 
> John is right -- nothing I say here is going to disagree with him.  It's
> just going to explain him.
> 
> Signatures are the most subtle and most error-prone part of GnuPG.  For
> a signature to be meaningful, the following has to take place:
> 
> 1.  The signature must be mathematically correct
> 2.  You must know the signing key really belongs to such a person
> 3.  You must trust the person the signing key belongs to
> 
> All GnuPG can do for you is step 1.  Steps 2 and 3 are mostly up to you.
> 
> As an example, imagine that you received a signed email, and the name on
> the key was "George W. Bush <w at whitehouse.gov>".  Would you believe it
> came from the President, or would you say "hey, anyone can make a key
> and claim it belongs to the President.  I need to do some checking"?
> 
> This email is signed.  The name on the key is "Robert J. Hansen".
> Should you believe that I'm really Robert J. Hansen?
> 
> The way we get around this is verify our keys.  If you were to meet me
> in person, if I were to let you see my passport, if I were to tell you
> the cryptographic hash of my key, would you then believe your copy of my
> key really belonged to me?  Probably so -- we would then say you have
> verified my key.

All of the above leads to key signing.
Some people sign every key that they have and that is not such a good idea.

Key signing happens when you meet an individual or at a computer group
that knows and uses GnuPG or OpenPGP.  You exchange public keys after
verifying that the person is who they say are by examining their
passport, drivers license and etc.  You can use the gpg-key2ps located
in the signing-party package to print out your keyID, fingerprint, sub
keys and related info in the following format.

pub 1024 D/8501AFEA 2003-01-03 LeRoy D. Cressy (ldc) <ldc at lrcressy.com>
Key fingerprint =  62DE 6CAB CEE1 B1B3 359A  81D8 3FEF E6DA 8501 AFEA
uid           LeRoy D. Cressy (ldc) <leroy at lrcressy.com>
sub 2048 g/B16A47D6  2003-01-03
sub 2048 g/FBF1253E  2004-02-08  [revoked]
sub 4096 R/86B08B2A  2005-08-07
sub 4096 R/F4988EE7  2005-08-13  [revoked]
sub 2048 R/758866DB  2008-08-21
sub 4096 R/076CB5B6  2008-08-21

After you get home from your key signing party with the others keys that
you have agreed to sign you need to fetch the other person's key from a
keyserver using

gpg --recv-keys 0x12345678

Now you need to edit the person's key that you are signing with

gpg --edit-key 0x12345678
	uid 1  (Make sure that you select all uid's that are on the key)
	sign   (gpg will ask you for your pass phrase and how much you
		trust the person in signing other keys.)

gpg -a --export 0x12345678 > filename.asc

email the signed key (filename.asc) to the keys owner. (You should not
post the signed key to a keyserver)

When you receive your own key from someone who signed your key you need
to import the signed key to your keyring.

gpg --import yourkey.asc

GnuPG will add only the changes to your key.

After you have imported all of your returned signed public keys then you
should send your key to your favorite key server.

gpg --send-keys 0x12345678

After you have signed someones key when you receive an email from that
person you will see "good signature from" instead of "UNTRUSTED good
signature from"

The more people that sign your key will make your key more trustworthy
to others.  For instance, if you know Jack, and Jack has signed Jill's
key, then you might have a greater degree of trust when you receive a
message from Jill though you have not signed her key.

The total concept of the web of trust is a little complex for a new user
of GnuPG, but when you think about the above example, you can see how it
works.

I hope that this helps :-)


- --
 Rev. LeRoy D. Cressy  mailto:leroy at lrcressy.com   /\_/\
                       http://lrcressy.com        ( o.o )
                       Phone:  215-535-4037        > ^ <

gpg fingerprint:  62DE 6CAB CEE1 B1B3 359A  81D8 3FEF E6DA 8501 AFEA

For info on enigmail:    http://lrcressy.com/linux/mozilla.pdf
For info on gpg:         http://www.gnupg.org/

Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBSMP5CKuxGqN1iGbbAQhgdAf/WcGuLQD7HCUazfvnS6nq5YPTyG4E689j
WYdNyfoJzDepDiyNl1WE8acnYLMFpdDy33oCOYw0db1Ctxu1npy6ITaYlHRAK1NV
0GjniDllv15HtXuGkdJl8MhzFX03RmuF0sSQtTa1W+LFifsUSZegKoAqmNc7qt1H
RU9jJGUQZ4PqQodvT2+Wf2APw2Lwsq3nwUWs+wGMb6hmqIcWqwEp4208TLsJLB4q
tEERONyg8rRsS1hKk7lkzCPQTs41y2LkaJ4izYVCy1KzEuuJ9ViZzcIihxXhSQgd
HdDqhmO2/mK0vCFFY7hy3GwXLm9Dh/iNX3otglBamMFVujzb0C8KpQ==
=ndqk
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list