Silk Road forums
Discussion => Security => Topic started by: smodcastle on July 18, 2011, 11:08 pm
-
About every other person I attempt to send an encrypted message to, PGP gives me this message:
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
I always give em the okay, but I thought I'd ask some peeps that understand the system better, what exactly does this mean? And is it that big of a deal? Thanks! ~smod
-
It means you haven't signed their public key with your private key so it's not sure if it has been tampered with or not.
-
+1 g4bb3r
-
hmm ok, i apologize. i actually kinda knew that much, only i thought each person was solely responsible for signing their own key. i know HOW to sign a key, in as much as i know the steps- im just not sure what it means once its done. i guess what im saying is i dont know what that really MEANS to me. so to clarify: a.) i sign THEIR key to make sure it hasnt been tampered with? what would that mean that it is tampered with? and b.) how important is it that i sign their key and why? thanks. ~smod
-
Someone knowledgeable correct me if I'm wrong but: the whole signature issue regarding PGP keys is only pertinent if you are getting the person's key from a public place where you're not sure THAT PERSON put it there or not? So, for example, if you download a seller's PGP key from SR, you KNOW that's the right one, because it's on their account. As long as you don't *change* that key, the seller can always read your messages and you have 100% confidence it's them.
Signatures and verification come in when I might go to the Tor project and want to talk to a programmer and their key is up on some blog out in the nether regions. I download it, it has their name on it, but I don't have any idea who put it out there. So, I have to get them to verify it the first time I use it with them.
That's what I've always understood since 1998 or so when we first used PGP. Is that correct?
-
The warning is not a big deal, just mean you have not marked that you are sure you know them.
signatures are useful if you want to prove you sent something. Webpages and accounts can get hacked, getting someone else's private pgp key is much harder.