[Bug 328735] Re: a key is put in "trusted keys" without it is signed

marco.pallotta marco.pallotta at gmail.com
Fri Feb 13 11:37:26 UTC 2009 

Sebastien, I read many times that key signing and, if I am not wrong, is a process that permits to you to validate a key (that is you hare sure that the owner of the key is right). Then, based on the signature, you can trust the owner of the key assigning trust level from 1 (don't know) to 4 (I trust fully).
I think trusting a user key without signing is not useful as I declare that I don't know if the key is valid or not.

>From gpg mini howto
(http://dewinter.com/gnupg_howto/english/GPGMiniHowto-3.html#ss3.6)

"
3.6 Key signing

As mentioned before in the introduction there is one major Achilles'
heel in the system. This is the authenticity of public keys. If you have
a wrong public key you can say bye bye to the value of your encryption.
To overcome such risks there is a possibility of signing keys. In that
case you place your signature over the key, so that you are absolutely
positive that this key is valid. This leads to the situation where the
signature acknowledges that the user ID mentioned in the key is actually
the owner of that key. With that reassurance you can start encrypting.

Using the gpg --edit-key UID command for the key that needs to be signed
you can sign it with the sign command.

You should only sign a key as being authentic when you are ABSOLUTELY
SURE that the key is really authentic!!!. So if you are positive you got
the key yourself (like on a key signing party) or you got the key
through other means and checked it (for instance by phone) using the
fingerprint-mechanism. You should never sign a key based on any
assumption.

Based on the available signatures and "ownertrusts" GnuPG determines the
validity of keys. Ownertrust is a value that the owner of a key uses to
determine the level of trust for a certain key. The values are

    * 1 = Don't know
    * 2 = I do NOT trust
    * 3 = I trust marginally
    * 4 = I trust fully

If the user does not trust a signature it can say so and thus disregard the signature. Trust information is not stored in the same file as the keys, but in a separate file.
"

-- 
a key is put in "trusted keys" without it is signed
https://bugs.launchpad.net/bugs/328735
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list