On Sun, 2003-11-23 at 14:00, Andy Stewart wrote:
HI everybody,
While I was cleaning out my inbox e-mail folder, I ran across several e-mails from WLUG members which were digitally signed. I've recently upgraded to SuSE 9.0 and the 'new' version of KDE's Kmail flags these e-mails in bright yellow. Kmail is telling me that I don't have the senders public key available, and thus it isn't sure that the mail actually camed from the claimed sender.
My question is this: how do I get someone's public key ?
There are public key servers that you can grab the keys from, assuming that the people uploaded the keys. The default config file for gnupg specifies a few commented out, so just uncomment one of them for use.
From there, you use "gpg --recv-key keyid" from the commandline to grab it.
You can also have the key e-mail to you, find it on a website, or any other number of ways that you get any time of file from someone.
Further, that brings up another question in this space:
1) How do I know that the public key I'm given really belongs to the person giving it ? Short of receiving it in person, and assuming that the person isn't an imposter, I suppose I eventually have to limit my level of paranoia to some level of trust. :-)
There are two main methods. Either verify the fingerprint of the key itself with the owner of the key in a situation where you know for a fact that it is the person. The other method is a web of trust. Basically, you verify someone's key and specify that you trust the key. Then, any key that they have verified and signed will be available to you as signed as well. Just be sure that the person you've chosen to trust is trustworthy security-wise. If they sign a key as legit that they did not verify, then you could have a bad key. the website for gpg has more information: http://www.gnupg.org/ -- Gregory Boyce <gboyce@badbelly.com>