On Fri, 2014-07-18 at 01:00 +0100, Allan Irving wrote:
Okay, so I've managed to set up PGP as per the documentation.
My question is how does signing work and when someone signs my key, does it go like this:
- I send them my public key,
- They sign it.
Yes, but make sure that you send them your public key through a secure channel (ideally in person).
I tend to sign only people I know. If I have to see an ID I don't sign the key :) But that's my personal rule. Everyone has his/her own rules for signing.
- They send me back the exported signed key, which now has their
signature.
Ideally they sign separately each uid of your key and send them to each email address, so they can also verify that you own these emails addresses.
There is a tool that automates this procedure https://wiki.debian.org/caff
- I then import this into my keychain, and reupload it to a key
server and as an armoured file onto my website or wherever I post it for download.
Yes, but it's up to you if you want to publish a certain signature. Remember that the web of trust is public, so depending on your paranoia level you may or may not want to reveal that certain people trust you key :)
There is also a tool (that I can't recall now) that syncs your keyring asynchronously with multiple keyservers to prevent anyone from knowing which keys you have on your local keyring.
Again make sure that the file you upload on your website is distributed securely at least through https. For instance I serve it though https although the rest of my site is http only: http://www.roussos.cc/contact.html
~nikos