[prev in list] [next in list] [prev in thread] [next in thread]
List: kdepim-users
Subject: Re: [kdepim-users] Boyan Tabakov turned Green ! (PGP KGpg topic)
From: Boyan Tabakov <blade.alslayer () gmail ! com>
Date: 2007-01-19 8:46:38
Message-ID: 20070119084607.GA5144 () rainbow
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Below is the original message from Jean-Philippe, as well as my answer. The message \
was encrypted for me, but seems as a post to everyone...
On Fri, Jan 19, 2007 at 09:30:53AM +0700, Jean-Philippe Monteiro wrote:
> Hi Community
>
> In the course of self-learning, and following a very old thread where Boyan
> "Blade" Tabakov proved very helpful, I was able to create my own key, encrypt
> some TAR files with it, and was able to sign (when I can remember of)
> outgoing messages. Thanks Blade!
You are welcome!
> Now this leaves me with two questions:
> -How do I automatically sign outgoing messages from my gmail account (the
> others do not have a key)?
That's easy: Settings -> Configure KMail -> Security -> Composing
- Automatically sign messages
> -How do I encrypt a message to someone I downloaded the key from?
>
In the composer window you should have two buttons Sign and Encrypt (available as \
well from the Options menu). If you selected the 'Automatically sign messages' \
option, Sign should already be selected for you. The message will be signed with the \
recepients key if available (a dialog box will appear confirm the key selected). A \
nice option is to check the the 'Always encrypt to self' option (located in the same \
place as the one mentioned above). That way all mail that is sent encrypted will be \
encrypted with your public key too, making it possible for you to read it. Otherwise \
you won't be able to read the mail you've sent encryped.
> --All this is more self-learning than paranoia, apart from the legitimate will
> to ensure people around that, when I send a file, it hasn't been messed up
> with--
>
> for testing purposes, I have signed/acknowledged Anne Wilson, Boyan Tabakov &
> Ingo Klocker - out of intuition these people should be what they are, and not
> as recommended through some Accurate Verification Process - Hence, Anne &
> Ingo "turned Green" on my screen as well!
>
Thanks for the trust, but that is not a good practice. Maybe you've read some of my \
older posts on how this is supposed to work, but I'll sum up here:
The idea is to sign keys of people you know directly and who's public keys you can \
obtain in a secure way - e.g. the other person himself gave you the fingerprint on a \
sheet of paper. That way you are 100% sure that the key belogs to him alone. If you \
choose to trust my key for example, how do you know that I am really someone called \
'Boyan Tabakov'? I could have created a key stating that I am 'Ritchie Blackmore'. \
(Last time I mentioned Bill Gates here, but thought it would be too much for the \
guy:) ). If you do think you can trust my key, a good idea is to mark this with a \
local signature (one that cannot be exported). See gpg's manual on how to create \
local signatures.
> The killall question: what's the use for me to have a key, if I am not part of
> a "web of trust"?
Not much use, if any at all. Find someone, a friend, colegue, etc, who's using PGP \
and ask him/her to sign your key. Then everything starts working: the friend of my \
friend is my friend...
The only use I can think of is to give your public key to some friends so that they \
can be assured what you send is intact. If you do so, though, why don't you ask them \
to sign your key, if they have one themselves?
Remember that the web of trust, as a kind of web has a week spot: Let's say you have \
a key and you sign'ed your frined's key. Now if this frined X does not care much \
about security of his key, the key might get compromised. And if X doesn't understand \
that has happened, the key won't be revoked. Now the attacker has a key, that is \
signed by you and eventually trusted by all other people that trust you.
> Cheers
> Jean-Philippe
>
> [This message is both Signed & Encrypted, as a test, so sorry for the mess
> that can occur: don't flame the humble self-trainer here]
Note that this way, the only one that could read the message is the one who's public \
key you used for encryption, and definitely not all the mailing list users.
Please feel free to ask anything, you may be interested in, both in private mails and \
on the mailing list.
> --
>
> SuSE93 Linux Kernell 2.6.11.4-21.14 KDE 3.4.0 Kontact 1.1 Kmail 1.8
> PHNOM PENH - CAMBODIA
--
Blade hails you...
For nature hates virginity
I wish to be touched
Not by the hands of where's and why's
But by the Oceans' minds
--Nightwish
[Attachment #5 (application/pgp-signature)]
_______________________________________________
KDE PIM users mailing list
kdepim-users@kde.org
https://mail.kde.org/mailman/listinfo/kdepim-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic