If you receive a key in a file (for example, as an e-mail attachment),
integrate it in your key ring with and use it
for encrypted communication with the sender. The procedure is similar to the
procedure for exporting keys already described.
10.3.1 Signing Keys
Keys can be signed like every other file to guarantee their authenticity
and integrity. If you are absolutely sure an imported key belongs to the
individual specified as the owner, express your trust in the authenticity
of the key with your signature.
IMPORTANT: Establishing a Web of Trust
Encrypted communication is only secure to the extent that you can
positively associate public keys in circulation with the specified user.
By cross-checking and signing these keys, you contribute to the
establishment of a web of trust.
Select the key to sign in the key list. Select . In the following dialog, designate the private key to use
for the signature. An alert reminds you to check the authenticity of this
key before signing it. If you have performed this check, click
and enter the password for the selected private
key in the next step. Other users can now check the signature by means of
your public key.
10.3.2 Trusting Keys
Normally, you are asked by the corresponding program whether you trust the
key (whether you assume it is really used by its authorized owner). This
happens each time a message needs to be decrypted or a signature must be
checked. To avoid this, edit the trust level of the newly imported key.
By default, a newly imported key is listed with a white box,
meaning that no concrete value has been assigned for the trust level.
Right-click the newly imported key to access a small context menu for key
management. Select from it.
KGpg opens a text a message box and asks the user to recheck the
fingerprint of the key. Use to access
the key signing dialog.
Select your trust level, for example, select
. After
finishing this dialog, you need to enter your passphrase to finish
the key signing process. The newly imported key now displays a
green trust level for a trusted key.
The
trust level of the keys in your key ring is indicated by a colored bar next
to the key name. The lower the trust level is, the less you trust the
signer of the key to have checked the true identity of the keys
signed. You may be entirely sure about the signer's identity, but he may
still be lazy in regard to checking other people's identities before
signing their keys. Therefore, you could still trust him and his own key,
but assign lower trust levels to the keys of others that have been signed
by him. The trust level's purpose is solely one of a reminder. It
does not trigger any automatic actions by KGpg.