<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.0.9">
</HEAD>
<BODY>
<BR>
No worries, all you've sent is your public key, which is a perfectly valid thing to send to anyone. Public keys are stored on key servers around the world for public access. But, you'll notice that you don't have any signatures on your key, eg:<BR>
<BR>
>gpg --list-sigs Harker<BR>
pub 1024D/6C6570C6 2003-03-06 Jonathan Harker <<A HREF="mailto:jon@jonathanharker.co.uk">jon@jonathanharker.co.uk</A>><BR>
sig 3 6C6570C6 2003-03-06 Jonathan Harker <<A HREF="mailto:jon@jonathanharker.co.uk">jon@jonathanharker.co.uk</A>><BR>
sub 1536g/64279EDC 2003-03-06<BR>
sig 6C6570C6 2003-03-06 Jonathan Harker <<A HREF="mailto:jon@jonathanharker.co.uk">jon@jonathanharker.co.uk</A>><BR>
<BR>
As you see, the key you sent is signed by itself (standard practice), but not by anyone else. So, unless I've met you and verified that this key really does belong to someone named Jonathan Harker, how do I know it isn't from some imposter? Anyone could create a key and have it named "Jonathan Harker". That's where key signatures come in. I meet you and verify that you are really you, and that the key you list here really belongs to you and then I sign it with my key. <BR>
<BR>
Once you have other signatures of your key, then if someone wants to know if the key really belongs to you they have multiple means: 1. they could still meet you and verify that you are who you say you are, or 2. if they know me (and trust that my key is really mine) they could verify that my signature of your key is valid. This is the so called 'chain of trust' and can continue on to greater depths. <BR>
<BR>
For example, here is my current key, showing the attached signatures:<BR>
> gpg --list-sigs vgough<BR>
pub 1024D/2EAF4D80 2002-03-26 Valient Gough <<A HREF="mailto:vgough@pobox.com">vgough@pobox.com</A>><BR>
sig 3 2EAF4D80 2002-03-26 Valient Gough <<A HREF="mailto:vgough@pobox.com">vgough@pobox.com</A>><BR>
sig 3 A4E872B2 2003-12-07 Valient Gough <<A HREF="mailto:vgough@pobox.com">vgough@pobox.com</A>><BR>
sig 2 FAFE4010 2004-01-31 Mika Matsuzaki <<A HREF="mailto:mika@yukidoke.org">mika@yukidoke.org</A>><BR>
sig 2 607559E6 2004-02-05 Benjamin Hill (Mako) <<A HREF="mailto:mako@debian.org">mako@debian.org</A>><BR>
sig 2 C99870B1 2004-02-05 Benjamin Hill (Mako) <<A HREF="mailto:mako@debian.org">mako@debian.org</A>><BR>
sub 2048g/65DCEDAF 2002-03-26<BR>
sig 2EAF4D80 2002-03-26 Valient Gough <<A HREF="mailto:vgough@pobox.com">vgough@pobox.com</A>><BR>
<BR>
So, both Benjamin Hill (a debian developer in Seattle), and Mika Matsuzaki have signed my key saying that they trust that my key belongs to a real "Valient Gough" at that email address. Now Benjamin has about 670 signatures on his key of people that have verified that he is who he says he is, which makes it possible for people to have some trust that my key really belongs to me without having ever met me, or even having met someone who directly signed my key!<BR>
<BR>
That is the purpose of meeting people and signing their keys. We have to physically meet in order to verify that the other person is who they say they are (typically via verifying government issued id) and that they also have control over the email address listed on their key (by sending them the signature to that email address).. Then when you send someone your key, by exporting it as you did before, it will show up with extra attached signatures.<BR>
<BR>
make more sense?<BR>
<BR>
Valient<BR>
<BR>
On Tue, 2004-02-24 at 02:47, Jonathan Harker wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE><FONT COLOR="#68151e"><I>andrej@paradise.net.nz wrote:
> // keys on the list
>
> Guys, the whole point of key-signing events is that
> there is SOME sort of "control" over who is who and
> such ... sending them around via e-Mail is not acceptable
> like this (on a mialing list) ... that's why the whole
> idea of signing parties has been born in the first place :)
Sorry... was wondering what it was in aid of.
Slightly confused,
J
</I></FONT></PRE>
</BLOCKQUOTE>
</BODY>
</HTML>