home | list info | list archive | date index | thread index

[OCLUG-Tech] Re: [oclug] building a web of trust -- informal key signing

  • Subject: [OCLUG-Tech] Re: [oclug] building a web of trust -- informal key signing
  • From: Adrian Irving-Beer <wisq-oclug [ at ] wisq [ dot ] net>
  • Date: Thu, 7 Sep 2006 16:52:39 -0400
On Sun, Sep 03, 2006 at 01:32:32PM -0400, Bart Trojanowski wrote:

> On behalf of the attendees, thank you Adrian for your OCLUG tutorial
> on how to use GnuPG for securing email.

No problem.  Was a fun experience, if a bit stressing due to
inexperience. :)

I'll post a URL to my presentation and notes within a week or so.
They're a bit raw, but they contain the key points.  Also, I'll
post mutt integration details and a quick description of PGP/MIME
vs. inline PGP, since these were the two topics we didn't have
time to cover.

> When you go home you will retrieve their key from the internet,
> verify the fingerprint and sign them.
>         gpg --recv-key <their key id> gpg --edit-key <their key id>

Interesting tidbit I discovered today:

Halfway through signing keys, I was looking through the output of the
"check" subcommand (while doing "--edit-key") and the output of
"--list-sigs".  I wondered what the numbers were for, and the manpage
explained that these are an indication of how extensively you've
checked the ID of the person in question.

The default is zero, which is no claim on how carefully you've
checked.  One means no checking (only a belief that the person is
genuine); two means casual checking (fingerprint + photo ID); three
means extensive checking (fingerprint + hard-to-forge photo ID +
e-mail exchanged with address).

Note that this is how much you trust the person is who they say they
are, *not* how much you trust them to do the same checks on other
people.  That's set by the "trust" command, later.

Most of us are probably signing with zero, which is fine and is
basically considered the same as two by the trust model.  But if
you're interested in qualifying how much you've checked the person's
ID, you can add the lines

	default-cert-level 2

(or some other default) to your gpg.conf.  That will ask you how hard
you've checked when you use the "sign" command in "--edit-key".

Most of us probably did level two verification, unless we carefully
checked the ID and verified the e-mail address later.

Unfortunately, short of deleting signatures and going back to do them
again, I'm not sure how to change my zeroes into twos, but it's
probably not a big deal.  A large portion of signatures out there are
level zero anyway.

Just an FYI to anyone interested.  I'm surprised this isn't set by
default; I would have appreciated the extra nagging. :)  (I seem to
recall the old PGP tool asking this by default, too.)

It also gives me something to aspire to for the next keysigning.
I'll have to read up on how to check for forged IDs. ;)

My thanks to Bart (on behalf of all involved) for arranging the

Attachment: signature.asc
Description: Digital signature