[Enigmail] enigmail test
Olav Seyfarth
olav at mozilla-enigmail.org
Fri Feb 22 00:35:03 PST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Matt,
> Can anyone verify that I've verified the Enigmail download correctly?
you verified the package as intended.
> Terminal returned the following when I used Enigmail to verify itself
> from Thunderbird, if you know what I mean...
>
>> gpg: Signature made Thu Jan 3 08:40:20 2008 PST using DSA key ID 9369CDF3
>> gpg: Good signature from "Patrick Brunschwig (Enigmail sig)
=> Integrity OK.
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg: There is no indication that the signature belongs to the
>> owner.
>> Primary key fingerprint: 10B2 E4A0 E718 BB1B 2791 DAC4 F040 E41B 9369
>> CDF3
>
> According to the website, the second line confirms all is well, but then
> why the third and fourth lines' WARNING etc.?
Long:
It says that YOU did not tell "GnuPG" to trust the key the package is signed
with. Imagine me as a man-in-the-middle. Then I could have
- - created a key with the name of Patrick and uploaded it to the keyservers
- - modified the website (on the server or in transit) to point to my key
If you now download, you'll also get a "Good signature from Patrick" because
all Enigmail/GnuPG can do is to check the integrity of the message. There is
no way for any program to tell whether the key belongs to the real Patrick,
even Patrick could be an alias that he used for years.
Short:
the warning is just about the missing link between the UID claim
and the real world. If you *really* want to know, visit him in Zurich and
verify his ID card with your own eyes. ;-) After that, you may certify ("sign")
his key with yours. Now the Warning is gone.
Advanced:
If you then republish his (now-also-signed-by-you-) key to the keyservers,
other OpenPGP users that certified your key and *trust* it may also get a
valid verification (without warning) since there now is a "trust chain".
Ultimately this leads to a "web of trust".
Mind to distinguish "certification" (aka key signing) and "trust" (aka
owner-trust). The first is written to the public key certified (and imported
by keyservers if key is sent to them and it was not a local-only signature),
the latter is stored separately (local only) in a "trust DB".
The value that decides whether to display the above warning is the "calculated
trust" which is a function of certification level and owner trust. There are
multiple trust models and settings that influence how this is calculated.
A classic example is a message signed by a key which in turn is certified by
your own (ultimetely trusted) key.
> Be gentle, obviously I'm an utter noob...
That's what this list is for: asking questions. Your questions will get more
complicated to answer over time ;-)
Olav
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Diese ist eine Digitale Signatur nach OpenPGP-Standard
Comment: Weitere Informationen: http://privat.seyfarth.de/olav/
iJwEAQECAAYFAke+iTMACgkQ/dJ0ek5GOmqGlgP9FRYHAQpODCUmEP0K4JYd7jHr
ay/gO6eJZbaVvJqqW7x4bF4aGSWmHY5KixCIXTIIYxa3UlKrpJ7yKD0/jcCyGKjh
gMuRXlEPHVnMwGiR6ZXNa7dhRyVLTnwZ4N5f2cLMiaLkXGRU+DAQFvhZVi+OxijA
zl6PXvC/eqQi9LeTfdo=
=uDdB
-----END PGP SIGNATURE-----
More information about the Enigmail
mailing list