Embarrassing question: How can I get my PGP key signed?

[Chaotic42]

Sorry, I think I'm missing something obvious here. I need to get my PGP key signed. My understanding is that I have to have someone who is trusted sign it. I don't know anyone in real life who even knows what PGP is.

I'm checking out the GNUpg.org FAQ, but I'm missing something somewhere. Here's what it says:
-
As mentioned before in the introduction there is one major Achilles' heel in the system. This is the authenticity of public keys. If you have a wrong public key you can say bye bye to the value of your encryption. To overcome such risks there is a possibility of signing keys. In that case you place your signature over the key, so that you are absolutely positive that this key is valid. This leads to the situation where the signature acknowledges that the user ID mentioned in the key is actually the owner of that key. With that reassurance you can start encrypting.

Using the gpg --edit-key UID command for the key that needs to be signed you can sign it with the sign command.

You should only sign a key as being authentic when you are ABSOLUTELY SURE that the key is really authentic!!!. So if you are positive you got the key yourself (like on a key signing party) or you got the key through other means and checked it (for instance by phone) using the fingerprint-mechanism. You should never sign a key based on any assumption.
-

I'm new to this, so bear with me. Any help is appreciated.

 

[Chaotic42]

Bump

 

[neit]

Well, i was in a similar boat, i wanted to start using encryption and didn't have any idea how to do it.

I use linux (namely kde), and i created a key on the commandline. I also installed KGpg, which manages the keys for you, so what i did was import my professor's public key. kmail wouldn't let me send it, until i realized i needed to sign the key myself. So i said i would trust his key, and then it let me encrupt it. I'm sure all of these steps can be done on the command line, but i never really bothered.

what i haven't figured out is how to distribute my public key and have other people sign my key to validate it to another user. None of my friends use pgp/gpg, so i haven't really been able to play around with it too much.

I hope this much helps you to figure stuff out

 

[manly]

No, you don't need to have your public key signed by other parties. It can be signed by your associates if you post it to a keyserver, as their certification that they've trusted your key as authentic.

But if you're just using it privately, you can just send your public key to your colleagues. Typically, it's recommended that you trust the avenue in which you send your key, because this is precisely where a man-in-the-middle attack would occur. The two obvious ways are to physically hand your public key over to your friend (rather than as say an email attachment over an insecure channel); or to simply verify the key ID (GPG apparently calls this the fingerprint) verbally as a basic sanity check that the key you thought you sent is the key that was in fact received.