Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Working with trust / key signing.
1 view
Skip to first unread message
j...@raspberry.invalid
Mar 2, 2022, 1:06:38 AM3/2/22
to
Hello Newsgroup, or shall I say "breaker 1-9" as Usenet seems to be
about as active as CB radio is these days...
I'm trying to wrap my head around the trust levels.
I get the idea that I can sign someones key which will let people know
that key is more trustworthy, assuming they trust my key.
What I don't understand, and I'm hoping you can help me, is how to
export and import that trust. All the guides I've seen talk about
keyservers, but suppose I don't have access to the keyserver?
Something like:
$ gpg --sign-key [keyid]
$ gpg --export-trustdb-or-something [keyid] >file.cert
Where "file.cert" would, presumably have my key along with the the key I
signed that could then be imported by other people.
There's this: --export-ownertrust
But it's just a text file of fingerprint and my trust levels. Anyone
could create a text file like that and feed it into gpg with new trust
levels. It's not signed, I can't say "import these levels, but only
accept them if they came from someone I trust"
What am I missing?
Thanks to any ghosts of usenet past for answering. :-)
about as active as CB radio is these days...
I'm trying to wrap my head around the trust levels.
I get the idea that I can sign someones key which will let people know
that key is more trustworthy, assuming they trust my key.
What I don't understand, and I'm hoping you can help me, is how to
export and import that trust. All the guides I've seen talk about
keyservers, but suppose I don't have access to the keyserver?
Something like:
$ gpg --sign-key [keyid]
$ gpg --export-trustdb-or-something [keyid] >file.cert
Where "file.cert" would, presumably have my key along with the the key I
signed that could then be imported by other people.
There's this: --export-ownertrust
But it's just a text file of fingerprint and my trust levels. Anyone
could create a text file like that and feed it into gpg with new trust
levels. It's not signed, I can't say "import these levels, but only
accept them if they came from someone I trust"
What am I missing?
Thanks to any ghosts of usenet past for answering. :-)
Grant Taylor
Mar 2, 2022, 1:26:51 AM3/2/22
to
On 3/1/22 11:06 PM, j...@raspberry.invalid wrote:
> Hello Newsgroup, or shall I say "breaker 1-9" as Usenet seems to be
> about as active as CB radio is these days...
There are still some of us active on Usenet. You and I make +2 in this
> Hello Newsgroup, or shall I say "breaker 1-9" as Usenet seems to be
> about as active as CB radio is these days...
newsgroup. There are other newsgroups that are quite active.
> I'm trying to wrap my head around the trust levels.
have to go back and re-read pertinent parts of books. Michael W.
Lucas's PGP / GPG book comes to mind.
> But it's just a text file of fingerprint and my trust levels. Anyone
> could create a text file like that and feed it into gpg with new
> trust levels. It's not signed, I can't say "import these levels,
> but only accept them if they came from someone I trust"
that the more to it is actually in the finger print or better described
as the data that we humans don't natively interpret.
I distinctly remember reading something in the aforementioned book
wherein the signed public key was exportable, including your signature,
which the key owner could import to gain your signature. I'd have to
re-read the germane section of the book.
> What am I missing?
I don't know what you're missing, but I strongly suspect that there is
something missing.
> Thanks to any ghosts of usenet past for answering. :-)
--
Grant. . . .
unix || die
David E. Ross
Mar 2, 2022, 1:44:00 AM3/2/22
to
public key servers. You sign someone else's PUBLIC key using your own
PRIVATE key. You then upload that PUBLIC key to a key server. (NEVER
upload your own private key.)
Access a key server by using your Web browser. See my
<http://www.rossde.com/PGP/pgp_keyserv.html> for a list that includes
links to servers. When you are at the Web site of a server, you should
see a link to search for a public key and a link to upload a public key.
Courtesy requires you to find out if the owner of that public key wants
the signed key to appear on a server. If the owner does indeed want it
uploaded, find out which servers the owner prefers. This last thing is
important because many servers have stopped synchronizing with other
servers.
--
David E. Ross
"A Message to Those Who Are Not Vaccinated"
See my <http://www.rossde.com/index.html#vaccine>.
Arthur T.
Mar 2, 2022, 2:07:34 AM3/2/22
to
Note: much unmarked snippage in quoted text.
In Message-ID:<svn1ha$sic$1...@gioia.aioe.org>,
It's been a long time, but I think this is correct. If not, I'm sure
that Cunningham's law will prevail.
For ease of writing, I'll assume that [keyid] belongs to Alice's key.
Your command "gpg --sign-key [keyid]" alters Alice's key in your
keyring to show that you've signed it. If you export her key and send
it to Bob, it will show that your key signed it. If Bob already has
your key (and he trusts you), he'll trust Alice's key.
Better yet, though, is to send your signed version of Alice's key
back to Alice. When she imports it, your signature will be added to
all of the other signatures she already has. Thus, when she sends it
to Bob, it'll have all of the signatures she's reaped.
Note that if Bob doesn't already have your key, he has to get it.
That could be directly from you, from Alice, or wherever. Your key
should have as many signers as possible so that Bob can trust that
it's actually yours. Otherwise, he needs to find some other way to
verify it. For instance, if he knows you, you can meet, call, or text
and exchange your key's fingerprint.
And, of course, you get signers by having people sign your key and
sending it back to you.
--
Arthur T. - ar23hur "at" pobox "dot" com
In Message-ID:<svn1ha$sic$1...@gioia.aioe.org>,
<j...@raspberry.invalid> wrote:
>I'm trying to wrap my head around the trust levels.
>
>I get the idea that I can sign someones key which will let people know
>that key is more trustworthy, assuming they trust my key.
>
>What I don't understand, and I'm hoping you can help me, is how to
>export and import that trust.
>
>I'm trying to wrap my head around the trust levels.
>
>I get the idea that I can sign someones key which will let people know
>that key is more trustworthy, assuming they trust my key.
>
>What I don't understand, and I'm hoping you can help me, is how to
>export and import that trust.
>
>Something like:
>
>$ gpg --sign-key [keyid]
>
>
>$ gpg --export-trustdb-or-something [keyid] >file.cert
>
>Where "file.cert" would, presumably have my key along with the the key I
>signed that could then be imported by other people.
>
>What am I missing?
>
>$ gpg --sign-key [keyid]
>
>
>$ gpg --export-trustdb-or-something [keyid] >file.cert
>
>Where "file.cert" would, presumably have my key along with the the key I
>signed that could then be imported by other people.
>
It's been a long time, but I think this is correct. If not, I'm sure
that Cunningham's law will prevail.
For ease of writing, I'll assume that [keyid] belongs to Alice's key.
Your command "gpg --sign-key [keyid]" alters Alice's key in your
keyring to show that you've signed it. If you export her key and send
it to Bob, it will show that your key signed it. If Bob already has
your key (and he trusts you), he'll trust Alice's key.
Better yet, though, is to send your signed version of Alice's key
back to Alice. When she imports it, your signature will be added to
all of the other signatures she already has. Thus, when she sends it
to Bob, it'll have all of the signatures she's reaped.
Note that if Bob doesn't already have your key, he has to get it.
That could be directly from you, from Alice, or wherever. Your key
should have as many signers as possible so that Bob can trust that
it's actually yours. Otherwise, he needs to find some other way to
verify it. For instance, if he knows you, you can meet, call, or text
and exchange your key's fingerprint.
And, of course, you get signers by having people sign your key and
sending it back to you.
--
Arthur T. - ar23hur "at" pobox "dot" com
David W. Hodgins
Mar 2, 2022, 6:47:39 AM3/2/22
to
On Wed, 02 Mar 2022 01:06:37 -0500, <j...@raspberry.invalid> wrote:
> Hello Newsgroup, or shall I say "breaker 1-9" as Usenet seems to be
> about as active as CB radio is these days...
:-)
> Hello Newsgroup, or shall I say "breaker 1-9" as Usenet seems to be
> about as active as CB radio is these days...
> I'm trying to wrap my head around the trust levels.
https://www.gnupg.org/faq/gnupg-faq.html that has a lot of info too.
Regards, Dave Hodgins
j...@example.invalid
Mar 2, 2022, 11:44:21 PM3/2/22
to
I do have the gpg info files installed, there's a zillion pages out
there filled with information about PGP, but not much about how the web
of trust works, or at least, none that I found (perhaps because it was
buried under the 500,000 pages offering helpful advice on how to setup
PGP)
I was using the gnupgp module from python would be easier, but I'm
starting to get the impression it would be better to just write the
methods I need and invoke the binary myself.
Thank you to everyone who replied. It makes my day that people are still
using usenet. I have a lot of fond memories of it, from back in the
golden days.
David W. Hodgins
Mar 3, 2022, 12:40:13 AM3/3/22
to
On Wed, 02 Mar 2022 23:44:19 -0500, <j...@example.invalid> wrote:
> David W. Hodgins <dwho...@nomail.afraid.org> wrote:
>> On Wed, 02 Mar 2022 01:06:37 -0500, <j...@raspberry.invalid> wrote:
>>> Hello Newsgroup, or shall I say "breaker 1-9" as Usenet seems to be
>>> about as active as CB radio is these days...
>>
>> :-)
>>
>>> I'm trying to wrap my head around the trust levels.
>>
>> Others have answered the specific question. Just wanted to point out there is
>> https://www.gnupg.org/faq/gnupg-faq.html that has a lot of info too.
>
> I am really impressed anyone answered at all!
>
> I do have the gpg info files installed, there's a zillion pages out
> there filled with information about PGP, but not much about how the web
> of trust works, or at least, none that I found (perhaps because it was
> buried under the 500,000 pages offering helpful advice on how to setup
> PGP)
See https://www.rossde.com/PGP/pgp_signatures.html#keys
> David W. Hodgins <dwho...@nomail.afraid.org> wrote:
>> On Wed, 02 Mar 2022 01:06:37 -0500, <j...@raspberry.invalid> wrote:
>>> Hello Newsgroup, or shall I say "breaker 1-9" as Usenet seems to be
>>> about as active as CB radio is these days...
>>
>> :-)
>>
>>> I'm trying to wrap my head around the trust levels.
>>
>> Others have answered the specific question. Just wanted to point out there is
>> https://www.gnupg.org/faq/gnupg-faq.html that has a lot of info too.
>
> I am really impressed anyone answered at all!
>
> I do have the gpg info files installed, there's a zillion pages out
> there filled with information about PGP, but not much about how the web
> of trust works, or at least, none that I found (perhaps because it was
> buried under the 500,000 pages offering helpful advice on how to setup
> PGP)
Note that thunderbird can generate it's own keys for encryption, but doesn't use
the web of trust like gpg/pgp.
Regards, Dave Hodgins
0 new messages