<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.0.8">
</HEAD>
<BODY>
<BR>
Some security protocols rely on a trusted third party. For example secure web browsing (aka https) rely on a trusted third party to sign your key. All the browsers know about the trusted third parties and can verify that someone 'trusted' signed it.<BR>
<BR>
For GPG (or PGP), there is no trusted third party (by design). When I send encrypted mail using GPG, or sign software that I release (like Linux RPM files for many distributions, or Debian packages), there is no trusted third party to go to in order to make sure the key is valid.<BR>
<BR>
Instead, the trust model is distributed. Like Tim said, you prove to someone's satisfaction that you are who you say you are - typically using government issued id. When someone has proven to me they are who they say, and that they are the owner of their key, then I sign their key saying in effect that I trust that this person's key matches to the real person. It doesn't mean that I trust the person is a good person or anything (even if they are), just that I believe they are who they say they are.<BR>
<BR>
This builds a chain (or web) of trust. If you see my signature on something but don't know directly about me of if the signature is really mine, you can check the signatures on my key and see if any of them are people you trust, and so on. Parts of this are automated in GPG.<BR>
<BR>
I've had GPG keys for years, but haven't worried about it much before because I only exchanged encrypted data with close friends, if at all. But now that I've started to distribute some software, it is good to have ties to many other people to make it more likely that a person will be able to trust that the signature is mine without ever having met me.<BR>
<BR>
So, yeah, we just get together and show each other id's and trade bits of paper with numbers on them. Sounds like fun eh! :-)<BR>
<BR>
Valient<BR>
<BR>
On Fri, 2003-12-12 at 10:19, Tim Nicholas wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE><FONT COLOR="#68151e"><I>On 12/12/03 18:01, Brenda Wallace wrote:
> what is a gpg key signing get together?
> is it what i think it is?? you get together and swap gpg keys???!!!
>
Yup. Though normally it's just the signatures of the keys. You give
someone the signature of your key, and prove to them that you are who
you say you are (using a passport or whatever). They do the same and
you're away laughing.
Or at least that's my understanding of the situation.
Tim
--
Tim Nicholas || Cilix
Email: tim@nicholas.net.nz || Wellington, New Zealand</FONT>
<A HREF="http://tim.nicholas.net.nz/"><U>http://tim.nicholas.net.nz/</U></A><FONT COLOR="#68151e"> || Cell/SMS: +64 21 337 204
</I></FONT></PRE>
</BLOCKQUOTE>
</BODY>
</HTML>