FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 05-28-2008, 02:59 PM
"Bill Crawford"
 
Default PGP signatures.

2008/5/28 Mike Chambers <mike@miketc.com>:

> What is mean by "name"? Guess I am clueless to gpg and don't know my
> way around it (viewing man gpg at the moment) and nto sure what to do
> for example, when like someone's signature says invalid from evo on an
> email to the list?

It's usually the email address listed as the "user id" for the key (or subkey).

I find it easiest to do this via kgpg, actually - you just right click
and choose "Sign keys" from the menu.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-28-2008, 03:06 PM
Tim
 
Default PGP signatures.

Patrick O'Callaghan:
>> gpg --sign-key <name>

Bill Crawford:
> --lsign-key, please, unless you have met the person and seen their passport.

A good idea, but could you tell a forged passport apart from a real one?
I'm sure that I couldn't. Likewise for other forms of ID, I couldn't
tell a real one from a good fake, and I'd have no way to verify a real
ID.

Though I seriously doubt that most of use would be using gpg in a way
that required such a level of personal identify assurance.

--
Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-28-2008, 03:07 PM
Tim
 
Default PGP signatures.

On Wed, 2008-05-28 at 09:42 -0500, Mike Chambers wrote:
> What is mean by "name"? Guess I am clueless to gpg and don't know my
> way around it (viewing man gpg at the moment) and nto sure what to do
> for example, when like someone's signature says invalid from evo on an
> email to the list?

The name of the key to apply the command to, or some other identifying
term. You can refer to keys by fingerprints, id codes, usernames, email
addresses, etc. It just has to be something that the software can use
to work out which key it's supposed to work with.

--
(This computer runs FC7, my others run FC4, FC5 & FC6, all using Gnome
in case that's important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-28-2008, 03:29 PM
"Bill Crawford"
 
Default PGP signatures.

2008/5/28 Tim <ignored_mailbox@yahoo.com.au>:

> Though I seriously doubt that most of use would be using gpg in a way
> that required such a level of personal identify assurance.

While that may be true, it's not really polite to pollute the "web of
trust" with "possibly dubious" signatures (I'm not for a moment
suggesting or assuming that there's anything dubious in this case, but
the principle is important). There are people who do take these things
seriously, and we shouldn't make things more difficult for them just
because we don't agree with them. Well, not always )

[What do you do if you encounter a key that's signed by both someone
you trust personally, *and* someone you don't trust?]

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-28-2008, 04:07 PM
"Mikkel L. Ellertson"
 
Default PGP signatures.

Bill Crawford wrote:

2008/5/28 Mike Chambers <mike@miketc.com>:


What is mean by "name"? Guess I am clueless to gpg and don't know my
way around it (viewing man gpg at the moment) and nto sure what to do
for example, when like someone's signature says invalid from evo on an
email to the list?


It's usually the email address listed as the "user id" for the key (or subkey).

I find it easiest to do this via kgpg, actually - you just right click
and choose "Sign keys" from the menu.

While you could use the person's name, you can run into more then
one key for a person, with different email addresses.


For example, I have keys for both my infinity-ltd.com address, and
my old execpc.com email address. I probably should revoke the
execpc.com address, but there are still some RPMs floating around
signed with that key. Besides, I don't remember where I stored the
private key for that one.


Mikkel
--

Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-28-2008, 04:11 PM
"Mikkel L. Ellertson"
 
Default PGP signatures.

Tim wrote:

Patrick O'Callaghan:

gpg --sign-key <name>


Bill Crawford:

--lsign-key, please, unless you have met the person and seen their passport.


A good idea, but could you tell a forged passport apart from a real one?
I'm sure that I couldn't. Likewise for other forms of ID, I couldn't
tell a real one from a good fake, and I'd have no way to verify a real
ID.

Though I seriously doubt that most of use would be using gpg in a way
that required such a level of personal identify assurance.

I started signing my email to the lists when a couple of messages
hit a list with my email address that were not from me. This way, a
forged message stands out because of the lack of signature, or a
because it is signed by a different key.


Mikkel
--

Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-28-2008, 04:49 PM
Anne Wilson
 
Default PGP signatures.

On Wednesday 28 May 2008 17:11:07 Mikkel L. Ellertson wrote:
> Tim wrote:
> > Patrick O'Callaghan:
> >>> gpg --sign-key <name>
> >
> > Bill Crawford:
> >> --lsign-key, please, unless you have met the person and seen their
> >> passport.
> >
> > A good idea, but could you tell a forged passport apart from a real one?
> > I'm sure that I couldn't. Likewise for other forms of ID, I couldn't
> > tell a real one from a good fake, and I'd have no way to verify a real
> > ID.
> >
> > Though I seriously doubt that most of use would be using gpg in a way
> > that required such a level of personal identify assurance.
>
> I started signing my email to the lists when a couple of messages
> hit a list with my email address that were not from me. This way, a
> forged message stands out because of the lack of signature, or a
> because it is signed by a different key.
>
For me, it was when someone accused me of sending a virused email, again on a
forged message.

It is important, though, to maintain the web-of-trust. It does have legal
implications, and that's why local signing is an option. I use encryption
for correspondence with one person, and for that I have to use ultimate
trust, yet I've never met him. The name I know him by may not be his. It
would be utterly wrong for me to upload his signature, signed, as that says
to people "You can trust this guy utterly. I vouch for him." And you can't
do that for someone you haven't even met.

Anne
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-28-2008, 05:01 PM
Anne Wilson
 
Default PGP signatures.

On Wednesday 28 May 2008 17:07:59 Mikkel L. Ellertson wrote:
> Bill Crawford wrote:
> > 2008/5/28 Mike Chambers <mike@miketc.com>:
> >> What is mean by "name"? Guess I am clueless to gpg and don't know my
> >> way around it (viewing man gpg at the moment) and nto sure what to do
> >> for example, when like someone's signature says invalid from evo on an
> >> email to the list?
> >
> > It's usually the email address listed as the "user id" for the key (or
> > subkey).
> >
> > I find it easiest to do this via kgpg, actually - you just right click
> > and choose "Sign keys" from the menu.
>
> While you could use the person's name, you can run into more then
> one key for a person, with different email addresses.
>
> For example, I have keys for both my infinity-ltd.com address, and
> my old execpc.com email address. I probably should revoke the
> execpc.com address, but there are still some RPMs floating around
> signed with that key. Besides, I don't remember where I stored the
> private key for that one.
>
kgpg handles all that seamlessly. I have several people on my keyring that
have more than one key.

It's also possible to have one key for several addresses, as I do. For those
that use kgpg, just take a look at my key. It lists several addresses and is
signed by a number of people - yes, they did see my passport :-). Similarly,

gpg --list-keys 1E1C9C17

shows all the identities that my key can be used for.

Anne
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-28-2008, 05:06 PM
Todd Zullinger
 
Default PGP signatures.

Patrick O'Callaghan wrote:
> On Wed, 2008-05-28 at 08:04 -0500, Aaron Konstam wrote:
>> Ok, I agree with your analysis. It can't be ruled as invalid if had
>> not been retrieved. But I am ignorant. I do not know how to do the
>> signing
>
> gpg --sign-key <name>

Bzzt! Don't do that. Not unless you have:

1) Verified the details of the key (fingerprint, size, and type,
at least)

2) Verified the email address used (perhaps via a simple challenge
email asking the key holder to sign some data of your choosing and
return it to you)

3) Done some sort of validation that the name on the key is really
the name the key holder is known as

There is nothing to be gained by just signing a key to make the
"invalid" warning go away. And in fact, it can be harmful. If you
use --sign-key and then even send that key to someone else or to a
keyserver, others may take your signature to mean that you've done
some or all of the verification I mentioned above. If you haven't,
you're harming your reputation, as no one wants to trust the
signature from someone that doesn't do any verification. (Think of
signing a key as you would notarizing a document. You wouldn't stamp
your seal on something without some checking.)

If you really must silence the warning (and I would argue that there
is no point in that), you can use gpg --lsign-key to create a local
signature. Such a signature will not ever be exported.

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
Abandon the search for Truth; settle for a good fantasy.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 05-28-2008, 06:54 PM
Patrick
 
Default PGP signatures.

On Wed, 2008-05-28 at 18:01 +0100, Anne Wilson wrote:
[snip]
> gpg --list-keys 1E1C9C17
>
> shows all the identities that my key can be used for.

[patrick@localhost ~]$ gpg --list-keys 1E1C9C17
gpg: error reading key: public key not found

Got these keyservers enabled in .gnupg/gpg.conf

keyserver hkp://keys.gnupg.net
keyserver hkp://subkeys.pgp.net
keyserver ldap://keyserver.pgp.com

No luck with these search links either:
http://pgpkeys.pca.dfn.de/pks/lookup?search=1E1C9C17&op=vindex
http://keyserver.pgp.com/vkd/SubmitSearch.event?SearchCriteria=1E1C9C17

Typo?

Regards,
Patrick

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 07:30 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org