[colug-432] Keysigning Party at OLF

Aaron Toponce aaron.toponce at gmail.com
Sat Sep 3 10:00:58 EDT 2011


On Sat, Sep 03, 2011 at 09:51:34AM -0400, Bill Baker wrote:
> Question: I'm a relative gpg newbie and I'm not sure what to do with
> that output.  I tried doing a "gpg --recv-keys" followed by the key ID.
> It worked, but now Evolution tells me "Valid signature, but cannot
> verify sender."  Is there any way to change that?  Did I miss a step
> somewhere?  I tried googling it, but couldn't find anything useful.

You haven't signed my key, so you haven't built a relationship of trust
with my key. As a result, GnuPG is telling you that technically speaking,
the signature is legit, but you don't know me, so I could be some bad guy,
using a key and signing messages, hoping to steal your secrets.

Thus, the whole point of the keysigning party. We build relationships of
trust with our keys, called the Web of Trust. The more signatures a key
has, and the lower the Mean Signature Distance (MSD) on that key, the more
likely that key is to be trusted.

Here is my "web of trust": http://aarontoponce.org/pubring.gif. I am in the
pink cirlce. Take any node in that graph, and count the shortest number of
direct hops it needs to reach me. My MSD is about 5 hops. I'm hoping to get
that number lower.

Hope that clarifies what it means that Evolution cannot "verify sender".

--
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
Url : http://lists.colug.net/pipermail/colug-432/attachments/20110903/41e3f65f/attachment.bin 


More information about the colug-432 mailing list