[TriLUG] Can I trust that key?

Mike Mueller linux-support at earthlink.net
Thu Dec 11 21:46:36 EST 2003


- I downloaded knoppix iso/md5/md5.asc
- I verified the md5.asc (see below)
- I became curious about how I would go about assigning trust to this 
signature. Not the syntax of the gpg command to assign trust, rather the 
human interaction - the key signing parties - how would I find a chain of 
trust back to Klaus? I could check the fingerprint on a website but the site 
could be hacked.  I won't call Klaus on the phone, but if I did, how would I 
know it was him?  In a trust chain you physically verify ID, human form, and 
pgp key - that makes sense.  But how do you trace a line a trust to someone 
like Klaus?

mike01 at deb2:~/knoppix$ gpg --verify KNOPPIX_V3.3-2003-11-19-EN.iso.md5.asc
gpg: Signature made Wed Nov 19 21:22:23 2003 EST using RSA key ID BA8F038D
gpg: Good signature from "Klaus Knopper <knopper at linuxtag.org>"
gpg:                 aka "Klaus Knopper <knopper at linuxtag.de>"
Could not find a valid trust path to the key.  Let's see whether we
can assign some missing owner trust values.

No path leading to one of our keys found.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
gpg: Fingerprint: 2B 01 12 1B 55 5B 31 58  47 F4 C3 4B 7B DC 2E 6B

-- 
Mike Mueller
324881 (08/20/2003)
Make clockwise circles with your right foot. 
Now use your right hand to draw the number "6" in the air.



More information about the TriLUG mailing list