On Monday 11 February 2008, Patrick Holthaus wrote: > Hi and thanks for the reply! > > > I use hkp://subkeys.pgp.net as my default keyserver and do not seem to > > have such a problem (unless I open a new message offline, which has a new > > key that has not been imported yet from the keyserver). > > I changed the default server to the one you use. It seems to work now. > gpg --refresh-keys had an error with the MIT server and it works with > yours. > > Nevertheless I have to set the trust to ultimately of each imported key in > KGPG, right? > > Patrick
NO! Only if you trust the guy who owns the key. That trust can only be gained if you have verified (in person) that he is the owner of the registered email address and pgp key! Otherwise, the whole principle of "Web of Trust" falls apart. That's what the key exchange meetings are all about. Now, you can't meet everyone in person who has a pgp key, right? But if you have verified that Bob is who he says he is and his key matches up to his email address, and Bob has gone through the same process with Fred, then by implication you may chose to also trust Fred and any others that Bob has verified. For obvious reasons you may chose to mark Fred's key as trusted to a lesser degree than Bob's. Have a look at these links for more info on this subject: http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html http://en.wikipedia.org/wiki/Key_signing_party http://en.wikipedia.org/wiki/Web_of_trust HTH. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
