On Sun, Sep 03, 2006 at 01:32:32PM -0400, Bart Trojanowski wrote: > On behalf of the attendees, thank you Adrian for your OCLUG tutorial > on how to use GnuPG for securing email. No problem. Was a fun experience, if a bit stressing due to inexperience. :) I'll post a URL to my presentation and notes within a week or so. They're a bit raw, but they contain the key points. Also, I'll post mutt integration details and a quick description of PGP/MIME vs. inline PGP, since these were the two topics we didn't have time to cover. > When you go home you will retrieve their key from the internet, > verify the fingerprint and sign them. > > gpg --recv-key <their key id> gpg --edit-key <their key id> Interesting tidbit I discovered today: Halfway through signing keys, I was looking through the output of the "check" subcommand (while doing "--edit-key") and the output of "--list-sigs". I wondered what the numbers were for, and the manpage explained that these are an indication of how extensively you've checked the ID of the person in question. The default is zero, which is no claim on how carefully you've checked. One means no checking (only a belief that the person is genuine); two means casual checking (fingerprint + photo ID); three means extensive checking (fingerprint + hard-to-forge photo ID + e-mail exchanged with address). Note that this is how much you trust the person is who they say they are, *not* how much you trust them to do the same checks on other people. That's set by the "trust" command, later. Most of us are probably signing with zero, which is fine and is basically considered the same as two by the trust model. But if you're interested in qualifying how much you've checked the person's ID, you can add the lines ask-cert-level default-cert-level 2 (or some other default) to your gpg.conf. That will ask you how hard you've checked when you use the "sign" command in "--edit-key". Most of us probably did level two verification, unless we carefully checked the ID and verified the e-mail address later. Unfortunately, short of deleting signatures and going back to do them again, I'm not sure how to change my zeroes into twos, but it's probably not a big deal. A large portion of signatures out there are level zero anyway. Just an FYI to anyone interested. I'm surprised this isn't set by default; I would have appreciated the extra nagging. :) (I seem to recall the old PGP tool asking this by default, too.) It also gives me something to aspire to for the next keysigning. I'll have to read up on how to check for forged IDs. ;) My thanks to Bart (on behalf of all involved) for arranging the keysigning.
Attachment:
signature.asc
Description: Digital signature