Fwd: PGP Signing

Fri Jul 18 07:07:45 UTC 2014

On Fri, 2014-07-18 at 01:00 +0100, Allan Irving wrote:
> 
> 
> Okay, so I've managed to set up PGP as per the documentation.
> 
> 
> 
> My question is how does signing work and when someone signs my key,
> does it go like this:
> 
> 
> 1. I send them my public key,
> 2. They sign it.

Yes, but make sure that you send them your public key through a secure
channel (ideally in person).

I tend to sign only people I know. If I have to see an ID I don't sign
the key :) But that's my personal rule. Everyone has his/her own rules
for signing. 

> 3. They send me back the exported signed key, which now has their
> signature.

Ideally they sign separately each uid of your key and send them to each
email address, so they can also verify that you own these emails
addresses.

There is a tool that automates this procedure
https://wiki.debian.org/caff

> 4. I then import this into my keychain, and reupload it to a key
> server and as an armoured file onto my website or wherever I post it
> for download.

Yes, but it's up to you if you want to publish a certain signature.
Remember that the web of trust is public, so depending on your paranoia
level you may or may not want to reveal that certain people trust you
key :)

There is also a tool (that I can't recall now) that syncs your keyring
asynchronously with multiple keyservers to prevent anyone from knowing
which keys you have on your local keyring.

Again make sure that the file you upload on your website is distributed
securely at least through https.
For instance I serve it though https although the rest of my site is
http only: http://www.roussos.cc/contact.html

~nikos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fsfe.org/pipermail/discussion/attachments/20140718/9b2b89dc/attachment.sig>