On Sun, Dec 21, 2003 at 10:53:35AM -0500, Norman Walsh wrote: > One more question. I now see output like this when I read encrypted messages: > > [[PGP Signed Part:Norman Walsh > Untrusted, Fingerprint: 645D 8055 B685 E0EC 3B0B B507 3B29 6D51 CC18 5A3B]] > > Now, I have my own public key in my pubring.gpg, so I would have > expected that to be "trusted". I expect this is some aspect of PGP > that I don't know enough about, rather than a gnus thing, but a > pointer would be appreciated. pubring.gpg is just all the keys that gpg is aware of locally. I've got the following lines in my gpg.conf: keyserver pgp.mit.edu keyserver-options auto-key-retrieve honor-http-proxy These allow gpg to download people's keys automatically and add them to my pubring.gpg. However trust is a different thing. There is no way to trust someone automatically. It's more something you have to do in person. So for example you are sure that your key is yours. So you can trust it completely. To indicate this you have to "sign the key". The following is from the gpg mini-howto at: http://webber.dewinter.com/gnupg_howto/english/GPGMiniHowto.html "3.6 Key signing As mentioned before in the introduction there is one major Achilles' heel in the system. This is the authenticity of public keys. If you have a wrong public key you can say bye bye to the value of your encryption. To overcome such risks there is a possibility of signing keys. In that case you place your signature over the key, so that you are absolutely positive that this key is valid. This leads to the situation where the signature acknowledges that the user ID mentioned in the key is actually the owner of that key. With that reassurance you can start encrypting. Using the gpg --edit-key UID command for the key that needs to be signed you can sign it with the sign command. You should only sign a key as being authentic when you are ABSOLUTELY SURE that the key is really authentic!!!. So if you are positive you got the key yourself (like on a key signing party) or you got the key through other means and checked it (for instance by phone) using the fingerprint-mechanism. You should never sign a key based on any assumption. Based on the available signatures and "ownertrusts" GnuPG determines the validity of keys. Ownertrust is a value that the owner of a key uses to determine the level of trust for a certain key. The values are * 1 = Don't know * 2 = I do NOT trust * 3 = I trust marginally * 4 = I trust fully If the user does not trust a signature it can say so and thus disregard the signature. Trust information is not stored in the same file as the keys, but in a separate file." Bijan -- Bijan Soleymani http://www.crasseux.com