The Guide






About Raj

Pretty Good Privacy

Introduction: What is PGP?
How does it work?
Where do I get PGP?
How do I run PGP??
Why does my key need to be signed?
So what's a key signing party after all?
What information do I need to provide, and when??
What other resources are there to help me learn about PGP and keysigning?
What about Windows Platform?

Related Links

A specific key signing party
PGP keyservers:
A specific key signing party
Keysigning Party Guide:

Why does my key need to be signed

Why does my key need to be signed?

Since the 'net is the most popular method of distributing public keys, it's as easy to tamper with keys as it is to tamper with messages --thereby defeating the very purpose of PGP itself! So it's important that you do not trust bare keys which you have got from the Internet, unless (a) you have contacted the owner of the key separately *and via a different medium, e.g. phone, fax or snail-mail* and verified the key actually belongs to him/her, or (b) verified that the key is signed by someone you trust.

A key signature is nothing but a sort of affidavit from someone that they believe that it (the key) actually belongs to the person it is supposed to belong to. Thus if I know you and have your key details, I would be willing to sign your key, effectively telling the world, ``Yes, I believe that this key really belongs to Your Name''. Now when someone accesses this signed key over the 'net, they see my signature on it and think, ``Hey, Raju believes that this key belongs Your Name, and I trust Raju's judgement, so I'm willing to accept this key''. Of course, they could also think, ``Raju believes this is Your Name's key, and I think Raju is a big liar and completely untrustworthy, so I will definitely not use this key to correspond with Your Name'', but that's more unlikely (I hope!).


So what's a keysigning party after all? [Next]

Copyright 1999 Dr. Raj Mehta. All rights reserved.