On Sat, Oct 14, 2006 at 03:21:42AM -0600, Henry Hertz Hobbit wrote: > [8] IMPORT somebody ELSE'S key and sign it; Werner's signing > key for example. > $ cd $TO_WHERE_WERNERS_PUB_KEY_IS > $ sha1sum WernerKoch.asc > c151479c9231455f18bccd09e3423679683a9ba9 WernerKoch.asc > # It matches what I have off the computer. Hopefully > # somebody hasn't taken advantage of the SHA1 weakness. > $ gpg -a --import WernerKoch.asc > $ gpg --list-keys > # some output omitted > pub 1024D/57548DCD 1998-07-07 [expired: 2005-12-31] > uid Werner Koch (gnupg sig) <[EMAIL PROTECTED]> > > pub 1024R/1CE0C630 2006-01-01 [expires: 2008-12-31] > uid Werner Koch (dist sig) <[EMAIL PROTECTED]> > > $ gpg --delete-key 57548DCD > $ gpg --edit-key 1CE0C630 > Command> # SIGN TO THE LEVEL YOU KNOW THIS KEY IS REALLY HIS > # beats me if it really is his key - others seem to think it > # is and it verifies GnuPg as valid. > Command> save > $ gpg --list-secret-keys > $ gpg --list-keys
If you've met Werner and exchanged identities with him, then signing his key exportably is ok, but in general, people should be using non-exportable signatures here, with lsign, to not pollute the web of trust unnecessarily. -- Robin Hugh Johnson E-Mail : [EMAIL PROTECTED] Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 ICQ# : 30269588 or 41961639 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
pgpQ3fhhhMRrS.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
