[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Sunday 21 August 2005 11:56 pm, Julian Hall wrote: > Neil Williams wrote: > >All done, thanks. > > Hi All, > > I've setup GPG tonight (Thanks Neil for your help with that!), but one > thing puzzles me. In Thunderbird I get "UNTRUSTED good signature > from" whoever. 1. Good - this means that the signature has not been altered. 2. Untrusted - you haven't yet met that person and verified the physical person behind the email address and key. 3. There are two levels of trust with a key - calculated and personal. "Yellow" basically means that you have a good identification of the signature but no identification of the person BEHIND the signature. This is why keysigning is a part of all DCGLUG meetings - it's only when you've got signatures on your key that you get the best out of gpg itself. > I have been through the keys I've picked up from the > LUG mails lately and set them all to TRUSTED on my system, so I'm a > bit puzzled as to why it should still say "UNTRUSTED" when I've told > it to trust them? Calculated trust comes from key signatures. Personal trust relates to how you trust that PERSON to verify others properly before signing. So Calculated trust relates to signatures ON that key, Personal Trust relates to signatures made BY that key. Gpg ignores the personal trust unless the calculated trust is already set to fully trusted. Signatures will continue to be "yellow" until you have got a signature from someone else on your key. As soon as there's a meeting that you can get to, we can arrange that and then the majority of signatures will go "green" for trusted. One signature often brings lots of keys into a situation of trust because of the web. Each signature you receive brings you closer into a web of trust - see the dclug keyring image for an example: http://www.dcglug.org.uk/linux_uk/dclugkeyring.png The more signatures exist between people within the same group of the web, the closer they will be to the centre and the lighter the colour will be for their key. A fuller example is my own web - created from all signatures on my key including from outside the lug: http://gnupg.neil.williamsleesmill.me.uk/personal.png That's a larger image but it clearly shows how the web of trust is often made up of groups of well connected individuals and how those groups are then linked together to form larger groups. These cross-group links often occur at exhibitions, conferences and other such events. Look out for the Debian stand at any Linux exhibition and you'll find many people willing to verify your key and sign it. So make sure you take printed copies of your fingerprint (on a business card if possible) AND your passport / new driving licence to any Linux event. The net result, because of organisations like Debian and FSF, is that there is a single strong set (of which out little group is one part). Any key in this strong set can be reached from any other key via the signatures. The more routes are possible and the shorter those routes are, the stronger that key is in the overall strong set. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
pgp27du9pXJ6h.pgp
Description: PGP signature