Version 1.5
The options (which can be set in PGP's configuration file, CONFIG.TXT) to control this are
Cert_Dept = n
Completes_Needed = n
Marginals_Needed = n
You can display the trust parameters for a key with pgp -kc
.
See also question 4.7.
Be careful about keys that are several levels removed from your immediate trust.
The PGP trust model is discussed in more detail by Alfarez Abdul-Rahman.
PGP -ks [-u yourid] <keyid>
This adds your signature (signed with the private key for yourid, if
you specify it) to the key identified with keyid. If keyid is a user
ID, you will sign that particular user ID; otherwise, you will sign
the default user ID on that key (the first one you see when you list
the key with pgp -kv <keyid>
).
Next, you should extract a copy of this updated key along with its signatures using the "-kxa" option. An armored text file will be created. Give this file to the owner of the key so that he may propagate the new signature to whomever he chooses.
Be very careful with your secret keyring. Never be tempted to put a copy in somebody else's machine so you can sign their public key - they could have modified PGP to copy your secret key and grab your pass phrase.
It is very easy to add user IDs to someone else's key. All it takes is a binary editor or some knowledge of the PGP public key format. But since you are the only person who can sign your own user IDs, the fake ones will not be signed, and so anyone who gets the key can immediately spot the fake ones. For example, my entry in the public key ring now appears as follows if you use the "-kvv" command:
Type Bits/KeyID Date User ID pub 1024/416A1A35 1994/10/01 Arnoud Engelfriet <[email protected]> sig 416A1A35 Arnoud Engelfriet <[email protected]> *** <[email protected]> now INVALID! sig 416A1A35 Arnoud Engelfriet <[email protected]> Galactus <[email protected]> sig 3602A619 Stephen Hopkins <[email protected]> sig DD63EF3D Frank Castle <[email protected]> sig 416A1A35 Arnoud Engelfriet <[email protected]> Arnoud Engelfriet <[email protected]> sig 390E3FB1 Martijn Heemels <[email protected]> sig DA87C0C7 Edgar W. Swank <[email protected]> sig 416A1A35 Arnoud Engelfriet <[email protected]>
For a more detailed discussion of why you should sign your own key, see "Why you should sign your own key" by Walther Soldierer.
Note that PGP 2.6.3[i] automatically signs each user ID you add to your own key.
Some countries require respected professionals such as doctors or engineers to endorse passport photographs as proof of identity for a passport application - you should consider signing someone's key in the same light. Alternatively, when you come to sign someone's key, ask yourself if you would be prepared to swear in a court of law as to that person's identity.
Remember that signing a person's key says nothing about whether you actually like or trust that person or approve of his/her actions. It's just like someone pointing to someone else at a party and saying, "Yeah, that's Joe Blow over there." Joe Blow may be an ax murderer; you don't become tainted with his crime just because you can pick him out of a crowd.
If it is a key from someone you know well and whose voice you
recognize then it is sufficient to give them a phone call and have
them read their key's fingerprint (obtained with pgp -kvc <userid>
).
To be sure, also ask them for the key size and its key ID. There are
ways to create a forged key with an identical fingerprint (see
question 4.10 for details).
You can of course also check these details in another way, for example
if he has printed it on his business card.
If you don't know the person very well then the only recourse is to exchange keys face-to-face and ask for some proof of identity. Don't be tempted to put your public key disk in their machine so they can add their key - they could maliciously replace your key at the same time. If the user ID includes an e-mail address, verify that address by exchanging an agreed encrypted message before signing. Don't sign any user IDs on that key except those you have verified.
A key signing party is a get-together with various other users of PGP for the purpose of meeting and signing keys. This helps to extend the "web of trust" to a great degree.
A keysigning party announcement page can be found at:
http://www.geocities.com/CapitolHill/3378/pgpparty.html.
Derek Atkins <[email protected]> has recommended this method:
There are many ways to hold a key-signing session. Many viable suggestions have been given. And, just to add more signal to this newsgroup, I will suggest another one which seems to work very well and also solves the N-squared problem of distributing and signing keys. Here is the process:
pgp -kvc
on that keyring, and save the output to a file.
pgp -kvc
file onto hardcopy, and bring
this and the keyring on media to the meeting.
pgp -kvc
on it themselves, and re-verify the
bits, and sign the keys at their own leisure.
[ Previous | Next | Table of Contents | About this FAQ | Glossary ]