GPG perché la mia chiave di fiducia non è certificata con una firma attendibile?

6

Quando corro

gpg --verify ~/file.asc ~/file

Ricevo quanto segue:

gpg: Signature made Tue 10 Dec 2016 05:10:10 AM EST using RSA key ID abcdefgh
gpg: Good signature from "Alias (signing key) <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: (a fingerprint)
     Subkey fingerprint: (a fingerprint)

L'impronta digitale primaria corrisponde all'output di gpg --fingerprints Nel mio portachiavi ho:

pub   4096R/abcdefgh 2014-12-12 [expires: 2020-08-02]
      Key fingerprint = (A public finger print)
uid                  Alias (signing key) <[email protected]>
sub   4096R/xcdertyu 2014-12-11 [expires: 2017-08-11]

Volevo verificare l'autenticità di un file con l'impronta digitale della chiave pubblica. Tieni presente che il livello di attendibilità è livello 4 (fiducia totale)

Ci credo perché:

:~$ gpg --edit-key abcdefgh
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  4096R/abcdefgh  created: 2014-12-12  expires: 2020-08-02  usage: C   
                     trust: full          validity: unknown

Dovrebbe esserci un motivo di preoccupazione? Grazie per la tua pazienza mentre imparo di più su crypto!

    
posta Rice 06.01.2017 - 05:39
fonte

1 risposta

8

La chiave deve essere verificata. Se ritieni che la chiave pubblica di qualcuno appartenga effettivamente a quell'individuo e siano nel tuo portachiavi, puoi utilizzare la tua chiave privata per firmare la chiave pubblica del tuo corrispondente e convalidarla.

Quindi sei Bob e ti fidi che la chiave pubblica di Alice appartenga effettivamente ad Alice, quindi la firmi con la tua chiave privata. Quindi la chiave di Alice ti è stata affidata. Anche le chiavi di cui Alice si fida, dicono che qualcuno chiamato Chris sarà anche nella tua rete di fiducia. Quindi puoi fidarti anche di Chris, perché Alice lo fa. Quindi la chiave di Chris sarà certificata con una firma attendibile.

Ora, se Alice si fida che la tua chiave appartenga a te, può convalidare la tua chiave pubblica firmandola con la sua chiave privata, quindi la tua chiave sarà ora inclusa nella stessa rete di fiducia.

a procedure was given to validate your correspondents' public keys: a correspondent's key is validated by personally checking his key's fingerprint and then signing his public key with your private key. By personally checking the fingerprint you can be sure that the key really does belong to him, and since you have signed they key, you can be sure to detect any tampering with it in the future. Unfortunately, this procedure is awkward when either you must validate a large number of keys or communicate with people whom you do not know personally.

GnuPG addresses this problem with a mechanism popularly known as the web of trust. In the web of trust model, responsibility for validating public keys is delegated to people you trust. For example, suppose

Alice has signed Blake's key, and

Blake has signed Chloe's key and Dharma's key.

If Alice trusts Blake to properly validate keys that he signs, then Alice can infer that Chloe's and Dharma's keys are valid without having to personally check them. She simply uses her validated copy of Blake's public key to check that Blake's signatures on Chloe's and Dharma's are good. In general, assuming that Alice fully trusts everybody to properly validate keys they sign, then any key signed by a valid key is also considered valid. The root is Alice's key, which is axiomatically assumed to be valid. Trust in a key's owner

In practice trust is subjective. For example, Blake's key is valid to Alice since she signed it, but she may not trust Blake to properly validate keys that he signs. In that case, she would not take Chloe's and Dharma's key as valid based on Blake's signatures alone. The web of trust model accounts for this by associating with each public key on your keyring an indication of how much you trust the key's owner.

There are four trust levels.

unknown

Nothing is known about the owner's judgement in key signing. Keys on your public keyring that you do not own initially have this trust level.

none

The owner is known to improperly sign other keys.

marginal

The owner understands the implications of key signing and properly validates keys before signing them.

full

The owner has an excellent understanding of key signing, and his signature on a key would be as good as your own.

A key's trust level is something that you alone assign to the key, and it is considered private information. It is not packaged with the key when it is exported; it is even stored separately from your keyrings in a separate database. The GnuPG key editor may be used to adjust your trust in a key's owner.

Leggi di più qui

Dai anche un'occhiata a questo responsabile di Server Fault

    
risposta data 06.01.2017 - 09:42
fonte

Leggi altre domande sui tag