[prev in list] [next in list] [prev in thread] [next in thread]
List: kdepim-users
Subject: Re: [kdepim-users] Boyan Tabakov turned Green ! (PGP KGpg topic)
From: Boyan Tabakov <blade.alslayer () gmail ! com>
Date: 2007-01-19 8:46:38
Message-ID: 20070119084607.GA5144 () rainbow
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Below is the original message from Jean-Philippe, as well as my answer. The \
message was encrypted for me, but seems as a post to everyone...
On Fri, Jan 19, 2007 at 09:30:53AM +0700, Jean-Philippe Monteiro wrote:
> Hi Community
>
> In the course of self-learning, and following a very old thread where \
> Boyan "Blade" Tabakov proved very helpful, I was able to create my own \
> key, encrypt some TAR files with it, and was able to sign (when I can \
> remember of) outgoing messages. Thanks Blade!
You are welcome!
> Now this leaves me with two questions:
> -How do I automatically sign outgoing messages from my gmail account (the \
> others do not have a key)?
That's easy: Settings -> Configure KMail -> Security -> Composing
- Automatically sign messages
> -How do I encrypt a message to someone I downloaded the key from?
>
In the composer window you should have two buttons Sign and Encrypt \
(available as well from the Options menu). If you selected the \
'Automatically sign messages' option, Sign should already be selected for \
you. The message will be signed with the recepients key if available (a \
dialog box will appear confirm the key selected). A nice option is to check \
the the 'Always encrypt to self' option (located in the same place as the \
one mentioned above). That way all mail that is sent encrypted will be \
encrypted with your public key too, making it possible for you to read it. \
Otherwise you won't be able to read the mail you've sent encryped.
> --All this is more self-learning than paranoia, apart from the legitimate \
> will to ensure people around that, when I send a file, it hasn't been \
> messed up with--
>
> for testing purposes, I have signed/acknowledged Anne Wilson, Boyan \
> Tabakov & Ingo Klocker - out of intuition these people should be what \
> they are, and not as recommended through some Accurate Verification \
> Process - Hence, Anne & Ingo "turned Green" on my screen as well!
>
Thanks for the trust, but that is not a good practice. Maybe you've read \
some of my older posts on how this is supposed to work, but I'll sum up \
here:
The idea is to sign keys of people you know directly and who's public keys \
you can obtain in a secure way - e.g. the other person himself gave you the \
fingerprint on a sheet of paper. That way you are 100% sure that the key \
belogs to him alone. If you choose to trust my key for example, how do you \
know that I am really someone called 'Boyan Tabakov'? I could have created \
a key stating that I am 'Ritchie Blackmore'. (Last time I mentioned Bill \
Gates here, but thought it would be too much for the guy:) ). If you do \
think you can trust my key, a good idea is to mark this with a local \
signature (one that cannot be exported). See gpg's manual on how to create \
local signatures.
> The killall question: what's the use for me to have a key, if I am not \
> part of a "web of trust"?
Not much use, if any at all. Find someone, a friend, colegue, etc, who's \
using PGP and ask him/her to sign your key. Then everything starts working: \
the friend of my friend is my friend...
The only use I can think of is to give your public key to some friends so \
that they can be assured what you send is intact. If you do so, though, why \
don't you ask them to sign your key, if they have one themselves?
Remember that the web of trust, as a kind of web has a week spot: Let's say \
you have a key and you sign'ed your frined's key. Now if this frined X does \
not care much about security of his key, the key might get compromised. And \
if X doesn't understand that has happened, the key won't be revoked. Now \
the attacker has a key, that is signed by you and eventually trusted by all \
other people that trust you.
> Cheers
> Jean-Philippe
>
> [This message is both Signed & Encrypted, as a test, so sorry for the \
> mess that can occur: don't flame the humble self-trainer here]
Note that this way, the only one that could read the message is the one \
who's public key you used for encryption, and definitely not all the \
mailing list users.
Please feel free to ask anything, you may be interested in, both in private \
mails and on the mailing list.
> --
>
> SuSE93 Linux Kernell 2.6.11.4-21.14 KDE 3.4.0 Kontact 1.1 Kmail 1.8
> PHNOM PENH - CAMBODIA
--
Blade hails you...
For nature hates virginity
I wish to be touched
Not by the hands of where's and why's
But by the Oceans' minds
--Nightwish
[Attachment #5 (application/pgp-signature)]
_______________________________________________
KDE PIM users mailing list
kdepim-users@kde.org
https://mail.kde.org/mailman/listinfo/kdepim-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic