[vox-tech] question about trust (gpg)

Ryan vox-tech@lists.lugod.org
Thu, 25 Jul 2002 16:44:22 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 25 July 2002 03:53 pm, Peter Jay Salzman wrote:
> here are the people who have verified my fingerprint over the phone:
>
>   p@satan% gpg --list-sigs dirac
>   pub  1024D/67EA951D 2000-12-08 Peter Jay Salzman <p@dirac.org>
>   sig        67EA951D 2000-12-08  Peter Jay Salzman <p@dirac.org>
>   sig        58D7BA3C 2000-12-12  Henry House <hajhouse@houseag.com>
>   sig        074A81E6 2002-07-23  dugan (ME) <dugan@passwall.com>
>   sub  2048g/BA20F792 2000-12-08
>   sig        67EA951D 2000-12-08  Peter Jay Salzman <p@dirac.org>
>
>
> this afternoon, i spoke with ryan over the phone and we exchanged
> fingerprints.  then he signed my public key and sent me an exported cop=
y
> of it.  i then --imported it.  now the list of people who trust me is:
>
>   pub  1024D/67EA951D 2000-12-08 Peter Jay Salzman <p@dirac.org>
>   sig        67EA951D 2000-12-08  Peter Jay Salzman <p@dirac.org>
>   sig        58D7BA3C 2000-12-12  Henry House <hajhouse@houseag.com>
>   sig        074A81E6 2002-07-23  dugan (ME) <dugan@passwall.com>
>   sig        DF61615F 2001-12-13  [User id not found]
>   sig        72177BC7 2002-07-25  Ryan Castellucci <ryan@mother.com>
>   sub  2048g/BA20F792 2000-12-08
>   sig        67EA951D 2000-12-08  Peter Jay Salzman <p@dirac.org>
>
> question: now, i assume that ryan's key was signed by whoever owns key
> DF61615F, and that since DF61615F trusts ryan, then DF61615F trusts me
> as well, right?  is this the "5 person rule" in action?

No, this is incorrect. The copy of your key that I had had been signed by=
=20
DF61615F, who claims to trust your key. gpg does not sign a key with keys=
=20
your key has been signed with (did that make sense?)

> question: henry (who signed my public key awhile ago) has no knowledge
> that ryan and matt now trust my key.  i WOULD like for him to know, jus=
t
> in case he passes my key to someone else (or just because i want him to
> know that i'm trusted and loved by all...).   is the standard operating
> procedure to send a copy of my key, along with the new people who signe=
d
> it, to the people who previously signed my key?

Yeah, the keyservers are great for this. You could set up a script to run=
 via=20
a cron job to sync with the keyservers (weekly is my sugguestion....) and=
=20
automaticly download the keys to any unknown signatures. (if anyone has/k=
nows=20
of such a script, please share)

It seems to me that notifing mailing lists (vox) with a short "My PGP/GPG=
 key=20
was signed by additional people on $DATE, contact me if you'd like a copy=
, or=20
download it from a keyserver" would be fine, as would emailing friends wh=
o=20
care.

It might be nice if gpg had the ability to sync your keys with a keyserve=
r=20
built in.

- --=20
PGP/GPG Fingerprint: 3B30 C6BE B1C6 9526 7A90  34E7 11DF 44F3 7217 7BC7
On pgp.mit.edu, import with `gpg --keyserver pgp.mit.edu --recv-key 72177=
BC7`
Also available at http://www.cal.net/~ryan/ryan_at_mother_dot_com.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9QI1WEd9E83IXe8cRAvMVAKCRrLNi7MrLdWgCOG8JaZjvs0B7mACfXK5x
FRAQd4CQYhDa/fh7B42k8Hk=3D
=3Dv2NR
-----END PGP SIGNATURE-----