Signing a key?

Bill's Avatar

Bill

05 Aug, 2012 04:07 PM

Confused a little:
When I download/Import a key from someone, I am supposed to sign it, right?

  1. Support Staff 1 Posted by Steve on 10 Aug, 2012 07:08 PM

    Steve's Avatar

    Hey Bill, I'm working on an FAQ about Web of Trust and key signing. It's not ready yet so I'm copy pasting what I have so far:

    If you have no clue, what the web of trust is, the best starting point is the according Wikipedia article. I'd suggest that as a starting point.

    If you're more the tl;dr type of person, here's a short explanation by Phil Zimmermann in the 1992 manual for PGP version 2.0:

    -- "As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys."

    Important: No, you should not sign every single key you have in your keychain.

    Does that help already? Key signing is done via GPG Keychain Access and there in the key inspector.

    Let me know if that info is sufficient or if you need more advise.

    All the best,
    steve


    Please consider a donation. We do all this in our spare time.

  2. 2 Posted by Bill on 11 Aug, 2012 03:32 AM

    Bill's Avatar

    Ok, so I would only sign a key that I am absolutely sure of the identity of the key owner.

  3. Support Staff 3 Posted by Steve on 12 Aug, 2012 04:23 PM

    Steve's Avatar

    Hey Bill,
    no that's also not the case. Open GPG Keychain Access and double click the key you'd like to sign. Then go to the second tab (User-IDs) then in the bottom field click "+". There you can also choose the level on which you checked the identity. So you can also set that to "I didn't really check anything" but then the question is, why you would wanna sign the key.

    So as you see, it's like grey colors. Neither white not black and no simply answer.

    But having your friends sign your key and singing theirs is in general a good idea.

    Cheerios,
    steve

  4. Support Staff 4 Posted by Steve on 24 Aug, 2012 04:49 PM

    Steve's Avatar

    No further user feedback. Closing.

    @Bill: Should your problem persist, feel free to re-open this discussion any time.

    All the best,
    steve

  5. Steve closed this discussion on 24 Aug, 2012 04:49 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac