From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/55299 Path: main.gmane.org!not-for-mail From: Bijan Soleymani Newsgroups: gmane.emacs.gnus.general Subject: Re: Gnus/PGG password problem Date: Sun, 21 Dec 2003 11:09:58 -0500 Sender: ding-owner@lists.math.uh.edu Message-ID: <20031221160958.GA9350@server.crasseux.com> References: <87smjf5gvn.fsf@nwalsh.com> <87zndm9ngg.fsf@nwalsh.com> NNTP-Posting-Host: deer.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="LZvS9be/3tNcYl/X"; protocol="application/pgp-signature"; micalg=pgp-sha1 X-Trace: sea.gmane.org 1072023137 22238 80.91.224.253 (21 Dec 2003 16:12:17 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Sun, 21 Dec 2003 16:12:17 +0000 (UTC) Original-X-From: ding-owner+M3839@lists.math.uh.edu Sun Dec 21 17:12:11 2003 Return-path: Original-Received: from malifon.math.uh.edu ([129.7.128.13]) by deer.gmane.org with esmtp (Exim 3.35 #1 (Debian)) id 1AY6Bf-0003Cr-00 for ; Sun, 21 Dec 2003 17:12:11 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by malifon.math.uh.edu with smtp (Exim 3.20 #1) id 1AY6BT-0004z8-00; Sun, 21 Dec 2003 10:11:59 -0600 Original-Received: from justine.libertine.org ([66.139.78.221] ident=postfix) by malifon.math.uh.edu with esmtp (Exim 3.20 #1) id 1AY6BL-0004z2-00 for ding@lists.math.uh.edu; Sun, 21 Dec 2003 10:11:51 -0600 Original-Received: from VL-MO-MR004.ip.videotron.ca (relais.videotron.ca [24.201.245.36]) by justine.libertine.org (Postfix) with ESMTP id 69DFD3A004E for ; Sun, 21 Dec 2003 10:11:50 -0600 (CST) Original-Received: from server.crasseux.com ([69.70.70.36]) by VL-MO-MR004.ip.videotron.ca (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with ESMTP id <0HQ900JAV68702@VL-MO-MR004.ip.videotron.ca> for ding@gnus.org; Sun, 21 Dec 2003 11:09:43 -0500 (EST) Original-Received: from bijan by server.crasseux.com with local (Exim 3.36 #1 (Debian)) id 1AY69W-0002UH-00 for ; Sun, 21 Dec 2003 11:09:58 -0500 In-reply-to: <87zndm9ngg.fsf@nwalsh.com> Original-To: ding@gnus.org Content-Disposition: inline User-Agent: Mutt/1.5.4i Precedence: bulk Xref: main.gmane.org gmane.emacs.gnus.general:55299 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:55299 --LZvS9be/3tNcYl/X Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 21, 2003 at 10:53:35AM -0500, Norman Walsh wrote: > One more question. I now see output like this when I read encrypted messa= ges: >=20 > [[PGP Signed Part:Norman Walsh > Untrusted, Fingerprint: 645D 8055 B685 E0EC 3B0B B507 3B29 6D51 CC18 5A= 3B]] >=20 > Now, I have my own public key in my pubring.gpg, so I would have > expected that to be "trusted". I expect this is some aspect of PGP > that I don't know enough about, rather than a gnus thing, but a > pointer would be appreciated. pubring.gpg is just all the keys that gpg is aware of locally. I've got the following lines in my gpg.conf: keyserver pgp.mit.edu keyserver-options auto-key-retrieve honor-http-proxy These allow gpg to download people's keys automatically and add them to my pubring.gpg. However trust is a different thing. There is no way to trust someone automatically. It's more something you have to do in person. So for example you are sure that your key is yours. So you can trust it completely. To indicate this you have to "sign the key". The following is from the gpg mini-howto at: http://webber.dewinter.com/gnupg_howto/english/GPGMiniHowto.html "3.6 Key signing As mentioned before in the introduction there is one major Achilles' heel in the system. This is the authenticity of public keys. If you have a wrong public key you can say bye bye to the value of your encryption. To overcome such risks there is a possibility of signing keys. In that case you place your signature over the key, so that you are absolutely positive that this key is valid. This leads to the situation where the signature acknowledges that the user ID mentioned in the key is actually the owner of that key. With that reassurance you can start encrypting. Using the gpg --edit-key UID command for the key that needs to be signed you can sign it with the sign command. You should only sign a key as being authentic when you are ABSOLUTELY SURE that the key is really authentic!!!. So if you are positive you got the key yourself (like on a key signing party) or you got the key through other means and checked it (for instance by phone) using the fingerprint-mechanism. You should never sign a key based on any assumption. Based on the available signatures and "ownertrusts" GnuPG determines the validity of keys. Ownertrust is a value that the owner of a key uses to determine the level of trust for a certain key. The values are * 1 =3D Don't know * 2 =3D I do NOT trust * 3 =3D I trust marginally * 4 =3D I trust fully If the user does not trust a signature it can say so and thus disregard the signature. Trust information is not stored in the same file as the keys, but in a separate file." Bijan --=20 Bijan Soleymani http://www.crasseux.com --LZvS9be/3tNcYl/X Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/5cXWUof+95vTyAwRAoFEAJ9lnOCk/FIWHSuMyJDI7VNCSDeF1wCfbdZ7 c61w0ZIuLanElpMK6vgtIHw= =nHr3 -----END PGP SIGNATURE----- --LZvS9be/3tNcYl/X--