Importing Public Keys from Others

If you receive a key in a file (for example, as an e-mail attachment), integrate it in your key ring with Import Key and use it for encrypted communication with the sender. You can also import keys from a public server if the person you want to communicate with has stored his public key there. For more information, see Section 7.5, “The Key Server Dialog”. The procedure is similar to the procedure for exporting keys already described.

Signing Keys

Keys can be signed like every other file to guarantee their authenticity and integrity. If you are absolutely sure an imported key belongs to the individual specified as the owner, express your trust in the authenticity of the key with your signature.

[Important]Establishing a Web of Trust

Encrypted communication is only secure to the extent that you can positively associate public keys in circulation with the specified user. By cross-checking and signing these keys, you contribute to the establishment of a Web of Trust. For these reasons, make really sure you only sign keys you have personally checked.

Before you can use your key, you need to sign it yourself.

Procedure 7.1. Signing A Key

  1. Select the key to sign in the key list in the Key Management window.

  2. Select Keys+Sign Keys.

  3. Select the private key to use for the signature. An alert reminds you to check the authenticity of this key before signing it. In the drop down list, select how you carefully you have checked that the key belongs to the person with whom you want to communicate.

  4. Click Continue and enter your passphrase in the next step. With entering the passphrase, you sign the key with your own private key. The signed key now appears green in the trust column.

Other users can now check the signature by means of your public key.

Trusting Keys

Normally, you are asked by the corresponding program whether you trust the key, or rather, whether you assume it is really used by its authorized owner. This happens each time a message needs to be decrypted or a signature has to be checked. To avoid this, edit the trust level of the newly imported key. To trust a key and set a certain trust level, do the following:

  1. Right-click the key and select Key Properties.

  2. Adjust the trust level in the Owner Trust drop-down list. This value indicates how much you trust the owner of this key to correctly verify the identity of the keys he signs.

  3. Close the property dialog. If you have set the trust level to Fully or Ultimately, the key now appears blue in the trust column.

The lower the trust level is, the less you trust the signer of the key to have checked the true identity of the keys signed. You may be entirely sure about the signer's identity, but this user may not check other people's identities properly before signing their keys. Notice that the trust level does not trigger any automatic actions by KGpg.