[FOSDEM] key question still slightly unclear
john at waw.be
Fri Feb 23 18:27:18 CET 2007
> 3) If I add another email address to my identity (I only have one on
> it now), is the key as signed at the keysigning automatically valid
> for that address (or is my question already showing my lack of
>> That will depend on the participants; some people will sign your new
>> UID, others won't. It may help if you communicate that you have a new
>> UID on your key at the signing party.
>> When signing a key, GPG will ask whether you want to sign all
>> email adresses.
>> Some people won't say `Y' if your new email address is not on the
And I'm confused. I really don't understand the mechanics of the
keysigning system. You have a series of private keys, they will be
collectively validated by a md5 and a sha1 checksum. How does my
individual key get signed? Do I have to upload it on the server (see
below) beforehand, or so the keysigners have a copy of the key I
uploaded to FOSDEM? I was thinking more along the line of adding an
email address AFTER the keysigning party. Is that email address (is
that considered as the ID) covered by the current keysigning, or
should I worry about that at next year's keysigning? Do I have to
sign other peoples' keys?
So my next question:
> 4) What is the best way to disseminate my public key, and to get
> the public
> keys of my correspondants? I understand there are key servers
> somewhere, can
> someone explain how this works?
>> gpg --recv-key --keyserver pgp.mit.edu <id>
>> gpg --send-key --keyserver pgp.mit.edu <id>
>> You can also put the keyserver in your ~/.gnupg/options.
And Wouter says:
>> Make sure the following line is found in your ~/.gnupg/gpg.conf:
>> keyserver hkp://subkeys.pgp.net
>> Then, you can search for keys with
>> gpg --recv-key <data>
>> where you replace <data> with either the mail address or the key
>> ID of
>> your correspondent.
>> After signing the key, please do not randomly upload them; you should
>> also attempt to verify that the email address of the key you
>> signed is
>> valid. An easy way to do that is to encrypt and mail the key to
>> the key
>> owner; the 'caff' script can help you with this. You can find caff in
>> the Debian package 'signing-party'; it's a perl script.
I found these lines in my gpg.conf file:
#keyserver mailto:pgp-public-keys at keys.nl.pgp.net
Should I have multiple key servers? Should I put pgp.mit.edu in as
well? Does it use the hkp:// protocol as well?
Does the existence of this line in the config file mean that my key
has automatically already been uploaded, or do I need to run a command?
Do I need to do anything to update the key on the server before or
after the keysigning?
Wouter also added:
>> I'll be sure to repeat this at the beginning of the signing party on
So Wouter, sorry to bother you beforehand, But I like to be prepared,
as my Scoutmasters always told me!
Words & Wires SPRL
Computer Consulting & Language Services
rue Valduc 266
1160 Brussels, Belgium
Voice: + 32-2-660-3943
GSM: +32 478 42 45 20
Fax: + 32-2-675-3922
john at waw.be
More information about the FOSDEM