HI all, I recently received an email from Jeff Moyer on the WLUG list. Kmail noted that the digital signature was valid but untrusted (I thought that feature was broken - why is it suddenly working??). I had downloaded Jeff's key from the key server. What establishes this key as trusted? Certainly, if I had signed Jeff's key myself, I would trust it, but in this case, I did not. I also don't know anybody who has signed Jeff's key. Do I need to place a personal value on keys which I've downloaded? Hypothetically, what if I downloaded it from some rogue server masquerading as the real thing? What I suspect is that if I signed Joe Blow's key, and Joe had signed Jeff Moyer's key, and I had placed a value on Joe's ability to properly verify keys, that there would be some implication about the goodness of Jeff's key. Correct? In my situation, I suspect that there are too many degrees of separation between keys which I trust and Jeff's key and its signers. How does this gap get closed? Thanks, Andy -- Andy Stewart, Founder Worcester Linux Users' Group Worcester, MA USA http://www.wlug.org