Signing a Key

The one major weakness to the OpenPGP security structure is the authenticity of public keys. If you have an incorrect or falsified public key your encryption is suspect and worthless. It is possible to protect yourself from such risks by signing keys.

When you sign a key you add your signature to the key, ensuring that you can be absolutly positive that the key is valid. Only when you know that your key is valid can you trust that your encryption works.

Select the key you wish to sign, then click the Sign button or select Sign from the Key menu.

You should only sign a key when you are absolutely sure that the key really is authentic. Unless you are positive that you aquired the key yourself (for example, at a key signing party) or you aquired the key through other means and verified it (for example, by telephone) using the fingerprint-mechanism, you should not sign the key. Never sign a key based on any assumptions.

GnuPG uses available signatures and the "owner trust" mechanism to determine the validity of keys.

See Also: