-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> Sven Radde escribió:
> Faramir schrieb:
>> I was reading again this message, and I'd like to know: is there any
>> point about signing a key _but not giving any trusted status_ ?
> Yes.
> Signing the key makes it valid for you (i.e. you believe that
On May 5, 2008, at 6:46 AM, Faramir wrote:
David Shaw escribió:
.
If someone wants to sign your key, you then end up with:
KEY + UID + SELFSIG + SIG
So SELFSIG is you saying "I bind this KEY and UID together", and SIG
is the other person saying "Me too".
If you add another UID at this po
Faramir schrieb:
I was reading again this message, and I'd like to know: is there any
point about signing a key _but not giving any trusted status_ ?
Yes.
Signing the key makes it valid for you (i.e. you believe that the person
indicated in the key's User-IDs is the person who actually has cont
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> David Shaw escribió:
> .
> If someone wants to sign your key, you then end up with:
>
> KEY + UID + SELFSIG + SIG
>
> So SELFSIG is you saying "I bind this KEY and UID together", and SIG
> is the other person saying "Me too".
>
> If you add an
On Apr 25, 2008, at 3:57 AM, Werner Koch wrote:
On Thu, 24 Apr 2008 21:12, [EMAIL PROTECTED] said:
not how the OpenPGP trust system works. The person who gets to
decide
if a key+uid should be signed is the person who makes the signature.
Nitpicking: It is not the OpenPGP trust system, but
On Thu, 24 Apr 2008 21:12, [EMAIL PROTECTED] said:
> not how the OpenPGP trust system works. The person who gets to decide
> if a key+uid should be signed is the person who makes the signature.
Nitpicking: It is not the OpenPGP trust system, but the way almost all
OpenPGP applications are used (
On Tue, Apr 15, 2008 at 11:16:34PM +0200, Christoph Anton Mitterer wrote:
> Ok now back to the beginning: When the name in the UID would be just a
> cosmetic addition to the actual ID (the e-mail address) I'd say it's
> irrelevant if it's complete.
>
> But if it's interpreted as Name + e-mail of a
On Tue, Apr 15, 2008 at 11:42:30PM +0200, Herbert Furting wrote:
> On Tue, 2008-04-15 at 17:09 -0400, David Shaw wrote:
> > Change your preferences and GPG will make a new selfsig for you. No
> > source hacking needed.
> Yes but ok let me explain what I want or would like to have ;-)
>
> My curre
On Thu, Apr 17, 2008 at 01:00:23PM +0200, Werner Koch wrote:
> >> Regarding signing challenges; they are fine as along as a signing subkey
> >> is available.
> > This sounds interesting.
> > What would I now from a signing challenge? What is it exactly? Ask the
> > peer to sign my challenge?
>
> R
On Wed, 16 Apr 2008 10:57,
[EMAIL PROTECTED] said:
>> What I meant are proofs based on the ability to decrypt a message. That
>> is not going to work if you do not have an encryption subkey.
> Could you please find the time to explain this further? Why would it
> only work with an encryption subk
Dear Werner.
On Wed, 2008-04-16 at 09:42 +0200, Werner Koch wrote:
> What I meant are proofs based on the ability to decrypt a message. That
> is not going to work if you do not have an encryption subkey.
Could you please find the time to explain this further? Why would it
only work with an encry
On Tue, 15 Apr 2008 20:04, [EMAIL PROTECTED] said:
>> I remember Werner saying that this was just nonsense.
>> Werner, can you correct me if I'm wrong?
>
> Not enough information above to say nonsense or not. There are silly
> ways to use challenges and non-silly ways.
What I meant are proofs ba
On Tue, 2008-04-15 at 17:09 -0400, David Shaw wrote:
> Change your preferences and GPG will make a new selfsig for you. No
> source hacking needed.
Yes but ok let me explain what I want or would like to have ;-)
My current key has the following layout:
***[Pub key packet]***
***[UID]***
***[0x
On Tue, Apr 15, 2008 at 09:36:04PM +0200, Herbert Furting wrote:
> On Tue, 2008-04-15 at 14:09 -0400, David Shaw wrote:
> > On Tue, Apr 15, 2008 at 03:10:47PM +0200, Herbert Furting wrote:
> > > To say it short: In my opinion every information that you sign/certify
> > > should be actually validade
Dear David.
On Tue, 2008-04-15 at 16:41 -0400, David Shaw wrote:
> It is irrelevant to this. There are a lot of "David Shaw"s in the
> world, and it's pointless to try and prevent collisions in a set that
> large. The disambiguation in OpenPGP keys is really the email
> address, not the name.
H
On Tue, Apr 15, 2008 at 11:03:43PM +0200, Herbert Furting wrote:
> On Tue, 2008-04-15 at 16:43 -0400, David Shaw wrote:
> > Yes indeed. OpenPGP even expects users to change their SELFSIGs
> > occasionally - the preferences and other UID-specific information is
> > stored there, so a change to pref
On Tue, 2008-04-15 at 16:43 -0400, David Shaw wrote:
> Yes indeed. OpenPGP even expects users to change their SELFSIGs
> occasionally - the preferences and other UID-specific information is
> stored there, so a change to preferences means a change in SELFSIG.
Yeah,.. I just try to browse to the so
On Tue, Apr 15, 2008 at 09:27:26PM +0200, Christoph Anton Mitterer wrote:
> On Tue, 2008-04-15 at 13:45 -0400, David Shaw wrote:
> > If someone wants to sign your key, you then end up with:
> >
> > KEY + UID + SELFSIG + SIG
> >
> Nicely illustrated,.. but let me please add (I know of course tha
On Tue, 2008-04-15 at 13:45 -0400, David Shaw wrote:
> If someone wants to sign your key, you then end up with:
>
> KEY + UID + SELFSIG + SIG
>
Nicely illustrated,.. but let me please add (I know of course that _you_
know this) that the SIG is made only over the KEY+UID data,... thus the
keyhol
On Tue, 2008-04-15 at 14:09 -0400, David Shaw wrote:
> On Tue, Apr 15, 2008 at 03:10:47PM +0200, Herbert Furting wrote:
> > To say it short: In my opinion every information that you sign/certify
> > should be actually validaded.
> > It probably makes even sense to check if a keyholder specified all
On Tue, Apr 15, 2008 at 03:10:47PM +0200, Herbert Furting wrote:
> To say it short: In my opinion every information that you sign/certify
> should be actually validaded.
> It probably makes even sense to check if a keyholder specified all of
> his given names,... and perhaps one shouldn't sign UIDs
On Tue, Apr 15, 2008 at 12:21:43PM +0200, Michael Kesper wrote:
> Hi,
>
> On Tue, Apr 15, 2008 at 12:42:43AM +0200, Herbert Furting wrote:
> > On Mon, 2008-04-14 at 23:20 +0100, Peter Lewis wrote:
> > > Ah yes, thanks. So I have now set the owner-trust for his key to "full",
> > > but
> > > stil
On Tue, Apr 15, 2008 at 02:33:08PM +0100, Peter Lewis wrote:
> On Tuesday 15 April 2008 at 14:11:48 Sven Radde wrote:
> > Stan Tobias schrieb:
> > > If a public key has a UID1, which I already
> > > trust, and a new UID2 is added, why can't I infer trust for the new uid?
> > > (...)
> > > So the
>
On Tue, Apr 15, 2008 at 02:13:51PM +0200, Stan Tobias wrote:
> Herbert Furting wrote:
> > If the new UID just contains a new email address, you should really
> > check if the keyholder "controlls" that email address.
> > You can do so, by sending him an encrypted challenge.
>
> [another newbie her
On Tue, Apr 15, 2008 at 09:37:45AM -0400, Mark H. Wood wrote:
> On Tue, Apr 15, 2008 at 01:23:01PM +0100, Peter Lewis wrote:
> > So I guess my question is: is this a guide for me, and then I should
> > manually
> > set the trust level on key F myself (if I am satisfied that the chains
> > exist)
On Tue, Apr 15, 2008 at 04:09:51PM +0100, Peter Lewis wrote:
> Please excuse one final question: I have signed keys with one person (A),
> whom
> I trust fully, and he has signed keys with another person (B), whom I know,
> but with whom I have not signed keys. B's key is (correctly) showing as
On Tuesday 15 April 2008 at 15:05:45 Sven Radde wrote:
> Signing a new UID with the same key that was used to sign another UID
> proves that the same person that created the first UID created the
> second one.
> It does not prove that the person controls (or, is identified by) the
> second UID.
>
>
Herbert Furting wrote the following on 4/15/08 9:38 AM:
> Well but if Peter Lewis <[EMAIL PROTECTED]> adds a new UID "Stan
> Tobias <[EMAIL PROTECTED]>" you obviously can't sign it, because the
> keyholder is Peter Lewis and not Stan Tobias.
>
> hf
>
To add a new UID, whichever it is, wouldn't P
On Tue, Apr 15, 2008 at 4:56 PM, Sven Radde <[EMAIL PROTECTED]> wrote:
>[snip snap]
Well said :)
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Mark H. Wood schrieb:
The safest thing for gpg to assume
is that I assign no trust at all until I have instructed it
otherwise.
AFAIK this is the default behaviour, isn't it?
You have the option of specifying "trusted introducers" (i.e. keys
signed by those are automatically considered valid by
Well but if Peter Lewis <[EMAIL PROTECTED]> adds a new UID "Stan
Tobias <[EMAIL PROTECTED]>" you obviously can't sign it, because the
keyholder is Peter Lewis and not Stan Tobias.
hf
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.
On Tue, Apr 15, 2008 at 01:23:01PM +0100, Peter Lewis wrote:
> So I guess my question is: is this a guide for me, and then I should manually
> set the trust level on key F myself (if I am satisfied that the chains
> exist), or should gpg do this automatically for me based on the parameters in
>
Peter Lewis schrieb:
Because you do not know whether the owner of UID1 is also the owner of
UID2.
Let's say, someone trusts my key and my user-id on that key.
Now, I add another ID: "Stan Tobias <[EMAIL PROTECTED]>"...
No good idea to trust that without checking, is it?
But isn't that the
On Tuesday 15 April 2008 at 14:11:48 Sven Radde wrote:
> Stan Tobias schrieb:
> > If a public key has a UID1, which I already
> > trust, and a new UID2 is added, why can't I infer trust for the new uid?
> > (...)
> > So the
> > only person that could have added UID2 is the one that is in control of
Stan Tobias schrieb:
If a public key has a UID1, which I already
trust, and a new UID2 is added, why can't I infer trust for the new uid?
(...)
So the
only person that could have added UID2 is the one that is in control of
UID1 (supposedly, it's the same person). Why is there a need to check
a
First of all,... unfortunately Chris forgot to CC the list (at least
it seems so). So I post his answer again:
On Tue, Apr 15, 2008 at 12:21 PM, Michael Kesper <[EMAIL PROTECTED]> wrote:
> I remember Werner saying that this was just nonsense.
> Werner, can you correct me if I'm wrong?
Well this i
Herbert Furting wrote:
> If the new UID just contains a new email address, you should really
> check if the keyholder "controlls" that email address.
> You can do so, by sending him an encrypted challenge.
[another newbie here]
I don't understand this. If a public key has a UID1, which I already
On Tuesday 15 April 2008 at 12:39:43 Herbert Furting wrote:
> gpg uses a so called trust modell (there ary actually several
> different), where you can each UID/key an specific amount of trust.
> You can give:
> n Never trust this key.
> m Marginall
Hi,
On Tue, Apr 15, 2008 at 12:42:43AM +0200, Herbert Furting wrote:
> On Mon, 2008-04-14 at 23:20 +0100, Peter Lewis wrote:
> > Ah yes, thanks. So I have now set the owner-trust for his key to "full",
> > but
> > still it says "unknown" for the other UIDs. So, I should manually set the
> > tru
2008/4/15 Peter Lewis <[EMAIL PROTECTED]>:
> Ah, thanks, that makes sense. And then I can sign his new UIDs too? Or just
> change their trust level?
You'll "have" to sign his new UIDs, too.
What you could to is do issue a so called non-exportable (gpg uses the
term local, iirc) signature.
That me
On Monday 14 April 2008 at 23:42:43 Herbert Furting wrote:
> If the new UID just contains a new email address, you should really
> check if the keyholder "controlls" that email address.
> You can do so, by sending him an encrypted challenge.
Ah, thanks, that makes sense. And then I can sign his ne
On Mon, 2008-04-14 at 23:20 +0100, Peter Lewis wrote:
> Ah yes, thanks. So I have now set the owner-trust for his key to "full", but
> still it says "unknown" for the other UIDs. So, I should manually set the
> trust for keys / UIDs that I think I trust based on who has signed them?
Sorry,.. I ha
Thanks Herbert, David, for the quick replies.
On Monday 14 April 2008 at 22:50:46 Herbert Furting wrote:
> Trust and signatures are different things (of course they are
> connected).
>
> You can change the trust on the key with the "trust" command when
> editing his key.
Ah yes, thanks. So I have
On Mon, Apr 14, 2008 at 10:05:58PM +0100, Peter Lewis wrote:
> Hi there,
>
> Firstly, apolgies if this is a simple query. I didn't get the answer though
> from reading the manual.
>
> My friend and I signed each others' keys last week. However, since then he
> has
> added another UID with his
Hi Peter.
Trust and signatures are different things (of course they are
connected).
You can change the trust on the key with the "trust" command when
editing his key.
Herbert.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/m
Hi there,
Firstly, apolgies if this is a simple query. I didn't get the answer though
from reading the manual.
My friend and I signed each others' keys last week. However, since then he has
added another UID with his work email address to his key. This showed up in
my keyring when I sync'ed wi
46 matches
Mail list logo
