Re: [Evolution] Signing messages with PGP



On Mon, 2008-09-22 at 09:55 -0400, Art Alexion wrote:
It just means that your key isn't signed by anyone trusted by the
recipients (such as yourself). You either need to exchange
signatures
with them, preferrably using some out-of-band mechanism such as
direct
contact, or have a mutually trusted third party do it. Read up on
the
"web of trust" in the GPG docs.

As Patrick points out, this is appropriate behavior.  What it is
saying
is that this is a valid signature, based on the person who uploaded
the
key, but there is no proof that the person who uploaded the key is
really you.

Sorry, that's not what I'm saying (or what the GPG error means). First
of all, there's no indication that the key was "uploaded" anywhere so
you can't assume it's being checked against a key server such as
pgp.mit.edu. Second, the validity of the signature has nothing to do
with whoever uploaded it (if in fact anyone did), and everything to do
with whoever signed it. Whether you trust the signature or signatures
(you can have any number of them) is the only thing that matters.

poc




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]