9.4. Importing Keys

If you receive a key in a file (for example, as an e-mail attachment), integrate it in your key ring with Import Key and use it for encrypted communication with the sender. The procedure is similar to the procedure for exporting keys already described.

9.4.1. Signing Keys

Keys can be signed like every other file to guarantee their authenticity and integrity. If you are absolutely sure an imported key belongs to the individual specified as the owner, express your trust in the authenticity of the key with your signature.

[Important]Establishing a Web of Trust

Encrypted communication is only secure to the extent that you can positively associate public keys in circulation with the specified user. By cross-checking and signing these keys, you contribute to the establishment of a web of trust. For these reasons, make really sure you only sign keys you personally checked.

Select the key to sign in the key list. Select Keys+Sign Keys. In the following dialog, designate the private key to use for the signature. An alert reminds you to check the authenticity of this key before signing it. If you have performed this check, click Continue and enter the password for the selected private key in the next step. Other users can now check the signature by means of your public key.

9.4.2. Trusting Keys

Normally, you are asked by the corresponding program whether you trust the key, or rather, whether you assume it is really used by its authorized owner. This happens each time a message needs to be decrypted or a signature has to be checked. To avoid this, edit the trust level of the newly imported key. By default, the newly imported key is listed in a white box, meaning that no concrete value has been assigned for the trust level. To trust a key, do the following:

  1. Right-click the newly imported key to access a small context menu for the key management.

  2. Select Sign Keys. KGpg opens a dialog that asks the user to recheck the fingerprint of the key.

  3. Use Continue to access the key signing dialog.

  4. Select your trust level, for example, select I Have Done Very Careful Checking. Finish this dialog.

  5. Enter your passphrase to finish the key signing process. The imported key now appears green in the trust column.

The lower the trust level is, the less you trust the signer of the key to have checked the true identity of the keys signed. You may be entirely sure about the signer's identity, but he may not check other people's identities properly before signing their keys. Therefore, you could still trust him and his own key, but assign lower trust levels to the keys signed by him. Notice that the trust level does not trigger any automatic actions by KGpg.