On Tue, 2003-12-30 at 15:54, Trevor Smith wrote: > On Tue, 30 Dec 2003 01:12:13 -0500, Lorenzo Prince wrote: > > >This is true, but with the current GPG tools, it seems much easier, at least to > >me, to simply export my key to a keyserver and let anyone import it if needed. > >More importantly, if I export my key, most servers sync with the server my key is > >posted on so in most cases it doesn't matter what keyserver you use. > > Automatic downloading of keys makes me wonder what the use of PGP / GPG > signing really is. All it will do, in this case, is tell you that the > person who sent the message is the person who uploaded the key. Which, > in reality, tells you nothing. Partially, yes. However, it all boils down to how you use it. I don't download keys immediately, I much rather have a fingerprint exchange after seeing some off-band id. Of course, many countries don't have any kind of id, which makes it harder. However, unless you have signed the key, you get a message like: [rms@roque apache]$ gpg --verify mod_ssl-2.8.12-1.3.27.tar.gz.asc mod_ssl-2.8.12-1.3.27.tar.gz gpg: Signature made Wed 23 Oct 2002 09:48:27 AM WEST using RSA key ID 26BB437D gpg: Good signature from "Ralf S. Engelschall <rse@xxxxxxxxxxxxxxx>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 00 C9 21 8E D1 AB 70 37 DD 67 A2 3A 0A 6F 8D A5 You see, that WARNING: is not there for nothing... it's there to WARN you that you don't know if that's really Ralf's key or not. I'm still waiting to meet him in person :) Hugs, Rui -- + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? Please AVOID sending me WORD, EXCEL or POWERPOINT attachments. See http://www.fsf.org/philosophy/no-word-attachments.html
Attachment:
signature.asc
Description: This is a digitally signed message part
