[Enigmail] Hello, signature test

Robert J. Hansen rjh at sixdemonbag.org
Sat Sep 6 16:25:48 PDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

John W. Moore III wrote:
> All 'Untrusted' means is that I haven't conferred any 'Trust' on Your
> Key because, well, I don't trust You just because You have a Key and a
> properly configured GnuPG configuration.

John is right -- nothing I say here is going to disagree with him.  It's
just going to explain him.

Signatures are the most subtle and most error-prone part of GnuPG.  For
a signature to be meaningful, the following has to take place:

1.  The signature must be mathematically correct
2.  You must know the signing key really belongs to such a person
3.  You must trust the person the signing key belongs to

All GnuPG can do for you is step 1.  Steps 2 and 3 are mostly up to you.

As an example, imagine that you received a signed email, and the name on
the key was "George W. Bush <w at whitehouse.gov>".  Would you believe it
came from the President, or would you say "hey, anyone can make a key
and claim it belongs to the President.  I need to do some checking"?

This email is signed.  The name on the key is "Robert J. Hansen".
Should you believe that I'm really Robert J. Hansen?

The way we get around this is verify our keys.  If you were to meet me
in person, if I were to let you see my passport, if I were to tell you
the cryptographic hash of my key, would you then believe your copy of my
key really belonged to me?  Probably so -- we would then say you have
verified my key.

Finally, let's say that after you meet me, you decide that (for whatever
reason!) you shouldn't trust me.  If you don't trust a person, then
there's no reason for you to trust a signed message from that person.



... If you get a message which has a correct signature from a key you
have verified as belonging to someone that you trust, then you may rely
on that signature.

Anything else, and you really can't.

This is why I so rarely sign my messages to mailing lists.  Most of the
people on the list do not know me, have not verified my key or my
identity, and so the signature is useless to them.


-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iFYEAREIAAYFAkjDEXwACgkQI4Br5da5jhCp9wDfeOUI+M+z40TZ5hHV3484x1gB
YZoggBf+mtutagDffNo/jam2yVXnl9JRa/px7oNMeT7bfBGXDlVKt4kBHAQBAQgA
BgUCSMMRfAAKCRC3APSC/q+BCZWDB/0aBS9eX9DHkRwQmBMaRBHRdqKTFXhsDFB7
YrTlF8CrtuYDSqcEpwIATE4bI3Dbl6Gs1eSKSGJ9tdZ98J+FkKcn1zGOFAQBIv48
2ZBVg9RSbkbdkdiBwRKhKWlkxdKqpBFDoxlUbFro41/g9kCBVL0Jk/LCz83LOBqP
C35vMtuvYLInYzbeW4jfg0hu/TRSiM2zs0pI5S7XG8TMARc/nlSxfFlYPhusjLb3
yNycePLlAOnyNo2HvhaQLJ5ccmvGMR9RJycNWaZrLYhrSp1OS7s6MZGXsk6PM7sQ
Xb5FuApR+Om1UcMnGMzB2f637sSqLp0FW9tGjImFxgC2efUpStjy
=Ejbk
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list