[nmglug] GnuPG issues.

[Sam Noble]

Hi guys,

I've been playing along from home with gpg for a couple weeks now, and a
few things still seem mysterious to me.

The main thing is that I'm not sure I understand how gpg uses trust and
key-signing.
I'm using gpg 1.0.7 and evolution 1.0.8-10 (creaky old I know.)

Most things seem to work the way I expect, but for some reason I'm not
able to encrypt something on the recipients public key unless I've
assigned 'Ultimate' trust to it, or Gary and I recently discovered I
could get a message to encrypt if I sign the recipients public key.

It seems obvious that I shouldn't have to assign 'ultimate' trust just
to encrypt something. So this suggests to me that signing the key, is
the preferred method.
But my understanding of the purpose of signing someone elses public key
was to make a (usually public) statement about my trust level -of the
key-. The typical case being that I've verified the key and want to sign
it, as a sort of 'endorsing signature' so that others can know that the
key is probably right. (at least if they trust me to verify-- which as I
understand it, is what the owner-trust metric measures: how much weight
to assign to the signatures of someone on your keyring when they appear
as 'endorsing signatures' on someone elses public key)

So my plan was not to go signing keys that I'd just gotten from a
keyserver or an email. As I have no particular knowledge that they are
accurate. But the inability to encrypt without either 'ultimate' trust
or signing the key, suggests to me that I should be signing (or locally
signing e.g. 'gpg --lsign <keyID>') every key I intend to use for
anything other than verifying signatures from the owner.

Anybody if know if this is true?

This is already a novella so other issues can wait.

-sam