[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 30 June 2002 11:07 pm, Neil Williams wrote:
Would I have to export my public key again after signing your key?
no
If so, does the new key keep the same key ID?
yup, it just adds a certificate data block to ther current key.
How does me signing your key affect your key? I've imported keys from people whose keys have been signed by other members of my public ring and the signature shows up in their imported key, even if I haven't imported the key from the people who have actually signed the key. I can't see how this works: When I import the key for A, I can see that it has been signed twice, once by someone already in my public ring, B. The other signature just gives the key ID [unknown user]. So B has signed A's key but A's key appears to have changed (otherwise I couldn't see the two signatures). How? B has signed A's key on his own computer - remote from A's computer, does the keyserver act as an intermediary??? How can A's key be changed from B's computer?
no, you email them, or copy onto cd and post ;P It depends how anal you want to be. I'd generate a key, sign it and email to my friend. HE would then confirm the f/p and sign it and email it back to me. basiclly, ther eare 2 ways of signing a certificate/key - either a "local sign", or a "exportable sign"; a local sign is identical to a exportable sign except that won't ever be exported or sent to keyservers - once it leaves your keyring, you louse the sig.
If I import a key, C, from a text file on a website rather than from the keyserver, would I miss out on signature data? (e.g. if B has also signed C's key, how can that information be included in the exported ASCII public key for C?)
it is by default. Once a key is signed by someone, that signature it part of thats 'copy' of the certificate.
(BTW: Is there a problem with your fingerprint being available to anyone via the DCLUG website?)
no, not at all.
How carefully have you verified the key you are about to sign actually belongs to the person named above? If you don't know what to answer, enter "0". (0) I will not answer. (default) (1) I have not checked at all.More info please: If you haven't checked it at all, is signing it worthwhile? Does that dilute the trust?
sign != trust. a key needs to be signed for it to be valid - either by someone you trust, or yourself. Even if signed trust is 0, it still makes the key valid.
Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources...)?Is there any way of knowing how carefully someone has checked a key they have signed when signing/importing their key? (I don't want to trust other keys of people signed by someone who hasn't checked what they are signing!)
i don't think so... it's all about the trust hting - if you trust someone to make sur they check properly, then you trust them - if you don't, then don't ;) ~ Theo - -- Theo Zourzouvillys http://zozo.org.uk/ Don't go surfing in South Dakota for a while. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9IFBH448CrwpTn6YRAiWnAJ9vIIGr5yWp2VZtQ8wxt6W2Ot68nQCg4rbR Q/SFL/gDOdgTqsf4onMALF0= =ZPyb -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.