On Sat, 2006-09-30 at 19:55 -0400, Ric Moore wrote: > Anne, when I get your email from this list there is a bottom brownish > bar that sez that your key is invalid. Is that because it passes > through the list server? It's got a boxing glove looking icon with an > X in the knuckles area. FYI, Ric That'd be because you don't have Evolution/gpg set up to automatically get keys if it doesn't already have them. The check is not just that the message has been signed, but that the key is the correct one. The way it does that is to check against the keys already in your possession, and/or fetching those that are not. Think of it like a cop picking up what he thinks is a burglar about to break into a house. He wouldn't just ask the guy if he had a key to get in the door, and to see that he has a key in his hand. He'd ask him to put the key in the lock and prove that it was the right key. This is where the "proof" comes in. Anybody can create a key in someone else's name, but it will be a *different* key. It won't match, and you can tell them apart. For further proof, keys can be countersigned by other users, somewhere along the line one of the keys should be signed by someone that you personally know, or some authority that you would have trusted to check that the person really was who they say they are. Therein lay the letdown with pgp implementations: Most keys aren't countersigned by someone else, or by someone else that you'd rely on. So while you'd be sure that you were conversing with the same person as last time, you don't know if they claim that they are who they say they are. And to be honest, considering how many people do set up their PCs, you don't even know that. Too many people will set up their PCs so that they don't have to provide a passphrase, and anybody using that box can post as them. -- (Currently running FC4, in case that's important to the thread) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
