[TriLUG] Can I trust that key?
Mike Mueller
linux-support at earthlink.net
Thu Dec 11 21:46:36 EST 2003
- I downloaded knoppix iso/md5/md5.asc
- I verified the md5.asc (see below)
- I became curious about how I would go about assigning trust to this
signature. Not the syntax of the gpg command to assign trust, rather the
human interaction - the key signing parties - how would I find a chain of
trust back to Klaus? I could check the fingerprint on a website but the site
could be hacked. I won't call Klaus on the phone, but if I did, how would I
know it was him? In a trust chain you physically verify ID, human form, and
pgp key - that makes sense. But how do you trace a line a trust to someone
like Klaus?
mike01 at deb2:~/knoppix$ gpg --verify KNOPPIX_V3.3-2003-11-19-EN.iso.md5.asc
gpg: Signature made Wed Nov 19 21:22:23 2003 EST using RSA key ID BA8F038D
gpg: Good signature from "Klaus Knopper <knopper at linuxtag.org>"
gpg: aka "Klaus Knopper <knopper at linuxtag.de>"
Could not find a valid trust path to the key. Let's see whether we
can assign some missing owner trust values.
No path leading to one of our keys found.
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
gpg: Fingerprint: 2B 01 12 1B 55 5B 31 58 47 F4 C3 4B 7B DC 2E 6B
--
Mike Mueller
324881 (08/20/2003)
Make clockwise circles with your right foot.
Now use your right hand to draw the number "6" in the air.
More information about the TriLUG
mailing list