Home
Main website
Display Sidebar
Hide Ads
Recent Changes
View Source:
SigningAKey
Edit
PageHistory
Diff
Info
LikePages
[SigningAKey] is an [OpenPGPConcept] that denotes trust in the KeyValidity of the key being signed. By signing a key, you are indicating that you trust that it belongs to it's owner and that they are who they say they are. It is important that you only sign keys where you have personally verified the owners identity, and their possession of the key. You should exercise much care in signing keys, as others may want to use your signatures to determine CalculatedTrust for a key they cannot personally verify. See KeyValidity for instructions on how to verify the validity of a key. !! How to sign a key * Ensure the public key is in your keyring (if it isn't see [GPG/PGPNotes] for how to find it) * Ensure that you have correctly completed the KeyValidity tasks and are satisified that the key is valid * Open the key in gpg * gpg --edit-key <key-id> * Select the uid(s) that you wish to sign * uid <s> * Sign them * sign * Save the changes * save * You should now email the signed key back to it's owner, so they can publish it to their preferred keyserver !!Automating that process See KeySigningScripts, especially the section on 'caff'. !! Types of Signature The [OpenPGP] standard defines several different types of signatures that can be used to denote varying levels of trust in the identity of the key's owner. These are <?plugin OldStyleTable |__Signature Type__|__Name__|__Description__ | 0x10 | Generic certification | The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the user ID. Note that all PGP "key signatures" are this type of certification. | 0x11 | Persona certification of a User ID and Public Key packet | The issuer of this certification has not done any verification of the claim that the owner of this key is the user ID specified. | 0x12 | Casual certification of a User ID and Public Key packet | The issuer of this certification has done some casual verification of the claim of identity. | 0x13 | Positive certification of a User ID and Public Key packet | The issuer of this certification has done substantial verification of the claim of identity. ?> The standard notes ;:Please note that the vagueness of these certification claims is not a flaw, but a feature of the system. Because PGP places final authority for validity upon the receiver of a certification, it may be that one authority's casual certification might be more rigorous than some other authority's positive certification. These classifications allow a certification authority to issue fine-grained claims. These types of signature are somewhat controversial, and arguably, are no use at all for several reasons * All [PGP] clients are only capable of generate 0x10 signatures * The [OpenPGP] standard does not define a trust model, so there is no programmatic way to determine if the trust indicated by one persons 0x12 signature, is that same as any other 0x12 signature. The best solution to this seems to be, * If you care, generate signatures using 0x12 and 0x13, and attach a policy-url describing how you verifyed the keyholders identity, if you don't want to do this, you should sign keys with 0x10 * Recognise that 0x12 and 0x13 signatures may have varying meanings * NEVER generate 0x11 signatures, why would you sign a key without verifying the keyholders indentity...? ---- Part of CategoryCryptography
4 pages link to
SigningAKey
:
OpenPGPConcept
InNeedOfRefactor
OwnerTrust
Signature