13.3. Importing Keys

If you receive a key in a file (for example, as an e-mail attachment), integrate it in your key ring with Import Key and use it for encrypted communication with the sender. The procedure is similar to the procedure for exporting keys already described.

13.3.1. Signing Keys

Keys can be signed like every other file to guarantee their authenticity and integrity. If you are absolutely sure an imported key belongs to the individual specified as the owner, express your trust in the authenticity of the key with your signature.

[Important]Establishing a Web of Trust

Encrypted communication is only secure to the extent that you can positively associate public keys in circulation with the specified user. By cross-checking and signing these keys, you contribute to the establishment of a web of trust.

Select the key to sign in the key list. Select Keys+Sign Keys. In the following dialog, designate the private key to use for the signature. An alert reminds you to check the authenticity of this key before signing it. If you have performed this check, click Continue and enter the password for the selected private key in the next step. Other users can now check the signature by means of your public key.

13.3.2. Trusting Keys

Normally, you are asked by the corresponding program whether you trust the key (whether you assume it is really used by its authorized owner). This happens each time a message needs to be decrypted or a signature must be checked. To avoid this, edit the trust level of the newly imported key. By default, a newly imported key is listed with a white box, meaning that no concrete value has been assigned for the trust level.

Right-click the newly imported key to access a small context menu for key management. Select Sign Keys from it. KGpg opens a text a message box and asks the user to recheck the fingerprint of the key. Use Continue to access the key signing dialog.

Select your trust level, for example, select I Have Done Very Careful Checking. After finishing this dialog, you need to enter your passphrase to finish the key signing process. The newly imported key now displays a green trust level for a trusted key.

The trust level of the keys in your key ring is indicated by a colored bar next to the key name. The lower the trust level is, the less you trust the signer of the key to have checked the true identity of the keys signed. You may be entirely sure about the signer's identity, but he may still be lazy in regard to checking other people's identities before signing their keys. Therefore, you could still trust him and his own key, but assign lower trust levels to the keys of others that have been signed by him. The trust level's purpose is solely one of a reminder. It does not trigger any automatic actions by KGpg.