Re: UNTRUSTED signature in GPG

From: Ray Stirbei <me(at)highentropy.org>
Date: Tue Apr 29 2003 - 20:23:18 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fernando,

The reason the key is marked 'untrusted' is becuase PGP doesn't know who the person behind the key is. What stops me from making a key, calling it 'Fernando Shayani' and using to email people? PGP signatures certaintly ensures the integrity of the message, which is why the signature is labeled 'good'.

When you are dragging a key from 'untrusted' to 'trusted' you are telling PGP that you know for sure that this key belongs to this person. You can look up' PGP web of trust' to get more information.

When you check your Yahoo email using SSL, you are using Verisign, a Certificate Authority. Your browser trusts Verisign and in turn Verisign assures your browser the key does indeed come from Yahoo.

Those are the two most common ways to deal with trust in key management.

Hope that helps

ray

On Monday 28 April 2003 02:37 pm, Tomas Wolf wrote:
> PGP has many nice features, but some of them are not exactly
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+rxeBzejBliQ3SdsRAlqlAKDki82Mg26bhypv+7MqjFVOj4pCowCeJIb1 Xva+pRLDyjmJhFMzRIUktZ0=
=Jwtw
-----END PGP SIGNATURE-----

---

FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics

---

Received on Wed Apr 30 14:55:53 2003