Re: [Evolution] Signing messages with PGP

From: Patrick O'Callaghan <poc usb ve>
To: Art Alexion <art RHD ORG>
Cc: evolution-list gnome org
Subject: Re: [Evolution] Signing messages with PGP
Date: Mon, 22 Sep 2008 11:18:04 -0430

On Mon, 2008-09-22 at 09:55 -0400, Art Alexion wrote:

It just means that your key isn't signed by anyone trusted by the
recipients (such as yourself). You either need to exchange

signatures

with them, preferrably using some out-of-band mechanism such as

direct

contact, or have a mutually trusted third party do it. Read up on

the

"web of trust" in the GPG docs.


As Patrick points out, this is appropriate behavior.  What it is
saying
is that this is a valid signature, based on the person who uploaded
the
key, but there is no proof that the person who uploaded the key is
really you.


Sorry, that's not what I'm saying (or what the GPG error means). First
of all, there's no indication that the key was "uploaded" anywhere so
you can't assume it's being checked against a key server such as
pgp.mit.edu. Second, the validity of the signature has nothing to do
with whoever uploaded it (if in fact anyone did), and everything to do
with whoever signed it. Whether you trust the signature or signatures
(you can have any number of them) is the only thing that matters.

poc

Follow-Ups:
- Re: [Evolution] Signing messages with PGP
  - From: Art Alexion

References:
- [Evolution] Signing messages with PGP
  - From: Andrew Taylor
- Re: [Evolution] Signing messages with PGP
  - From: Patrick O'Callaghan
- Re: [Evolution] Signing messages with PGP
  - From: Art Alexion

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]