+<p>Email encryption is a powerful technology, but it has a weakness;
+it requires a way to verify that a person's public key is actually
+theirs. Otherwise, there would be no way to stop an attacker from making
+an email address with your friend's name, creating keys to go with it and
+impersonating your friend. That's why the free software programmers that
+developed email encryption created keysigning and the Web of Trust.</p>
+
+<p>When you sign someone's key, you are publicly saying that you've verified
+that it belongs to them and not someone else.</p>
+
+<p>Signing keys and signing messages use the same type of mathematical
+operation, but they carry very different implications. It's a good practice
+to generally sign your email, but if you casually sign people's keys, you
+may accidently end up vouching for the identity of an imposter.</p>
+
+<p>People who use your public key can see who has signed it. Once you've
+used GnuPG for a long time, your key may have hundreds of signatures. You
+can consider a key to be more trustworthy if it has many signatures from
+people that you trust. The Web of Trust is a constellation of GnuPG users,
+connected to each other by chains of trust expressed through signatures.</p>
+
+</div><!-- End .section-intro -->
+
+<!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
+<div id="step-4a" class="step">
+<div class="sidebar">
+
+<p><img
+src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/section4-web-of-trust.png"
+alt="Section 4: Web of Trust" /></p>
+
+</div><!-- /.sidebar -->
+<div class="main">
+
+<h3><em>Step 4.a</em> Sign a key</h3>
+
+<p>In your email program's menu, go to Enigmail → Key Management.</p>
+
+<p>Right click on Edward's public key and select Sign Key from the context
+menu.</p>
+
+<p>In the window that pops up, select "I will not answer" and click ok.</p>
+
+<p>Now you should be back at the Key Management menu. Select Keyserver →
+Upload Public Keys and hit ok.</p>
+
+<p class="notes">You've just effectively said "I trust that Edward's public
+key actually belongs to Edward." This doesn't mean much because Edward isn't
+a real person, but it's good practice.</p>
+
+<!--<div id="pgp-pathfinder">
+
+<form enctype="application/x-www-form-urlencoded" action="/mk_path.cgi"
+method="get">
+
+<p><strong>From:</strong><input type="text" value="xD41A008"
+name="FROM"></p>
+
+<p><strong>To:</strong><input type="text" value="50BD01x4" name="TO"></p>
+
+<p class="buttons"><input type="submit" value="trust paths" name="PATHS"><input
+type="reset" value="reset" name=".reset"></p>
+
+</form>
+
+</div>End #pgp-pathfinder -->
+</div><!-- End .main -->
+</div><!-- End #step-4a .step -->
+
+<!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
+<div id="step-identify_keys" class="step">
+<div class="main">
+
+<h3>Identifying keys: Fingerprints and IDs</h3>
+
+<p>People's public keys are usually identified by their key fingerprint,
+which is a string of digits like F357AA1A5B1FA42CFD9FE52A9FF2194CC09A61E8
+(for Edward's key). You can see the fingerprint for your public key, and
+other public keys saved on your computer, by going to Enigmail → Key
+Management in your email program's menu, then right clicking on the key
+and choosing Key Properties. It's good practice to share your fingerprint
+wherever you share your email address, so that people can double-check that
+they have the correct public key when they download yours from a keyserver.</p>
+
+<p class="notes">You may also see public keys referred to by a shorter
+key ID. This key ID is visible directly from the Key Management
+window. These eight character key IDs were previously used for
+identification, which used to be safe, but is no longer reliable. You
+need to check the full fingerprint as part of verifying you have the
+correct key for the person you are trying to contact. Spoofing, in
+which someone intentionally generates a key with a fingerprint whose
+final eight characters are the same as another, is unfortunately
+common.</p>
+
+</div><!-- End .main -->
+</div><!-- End #step-identify_keys .step-->
+
+<!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
+<div id="check-ids-before-signing" class="step">
+<div class="main">
+
+<h3><em>Important:</em> What to consider when signing keys</h3>
+
+<p>Before signing a person's key, you need to be confident that it actually
+belongs to them, and that they are who they say they are. Ideally, this
+confidence comes from having interactions and conversations with them over
+time, and witnessing interactions between them and others. Whenever signing
+a key, ask to see the full public key fingerprint, and not just the shorter
+key ID. If you feel it's important to sign the key of someone you've just
+met, also ask them to show you their government identification, and make
+sure the name on the ID matches the name on the public key. In Enigmail,
+answer honestly in the window that pops up and asks "How carefully have you
+verified that the key you are about to sign actually belongs to the person(s)
+named above?"</p>
+
+<!-- ~~~~~~~~~ Troubleshooting ~~~~~~~~~ -->
+<div class="troubleshooting">
+
+<h4>Advanced</h4>
+
+<dl>
+<dt>Master the Web of Trust</dt>
+<dd>Unfortunately, trust does not spread between users the way <a
+href="http://fennetic.net/irc/finney.org/~hal/web_of_trust.html">many people
+think</a>. One of best ways to strengthen the GnuPG community is to deeply <a
+href="https://www.gnupg.org/gph/en/manual/x334.html">understand</a> the Web of
+Trust and to carefully sign as many people's keys as circumstances permit.</dd>
+
+<dt>Set ownertrust</dt>
+<dd>If you trust someone enough to validate other people's keys, you can assign
+them an ownertrust level through Enigmails's key management window. Right
+click on the other person's key, go to the "Select Owner Trust" menu option,
+select the trustlevel and click OK. Only do this once you feel you have a
+deep understanding of the Web of Trust.</dd>
+</dl>
+
+</div><!-- /.troubleshooting -->
+</div><!-- End .main -->
+</div><!-- End #check-ids-before-signing .step-->
+</div></section><!-- End #section4 -->
+
+<!-- ~~~~~~~~~ Section 5: Use it well ~~~~~~~~~ -->
+<section id="section5" class="row"><div>
+
+<!-- ~~~~~~~~~ section introduction: interspersed text ~~~~~~~~~ -->
+<div class="section-intro">
+
+<h2><em>#5</em> Use it well</h2>
+
+<p>Everyone uses GnuPG a little differently, but it's important to follow
+some basic practices to keep your email secure. Not following them, you
+risk the privacy of the people you communicate with, as well as your own,
+and damage the Web of Trust.</p>
+
+</div><!-- End .section-intro -->
+
+<!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
+<div id="step-5a" class="step">
+<div class="sidebar">
+
+<p><img
+src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/section5-01-use-it-well.png"
+alt="Section 5: Use it Well (1)" /></p>
+
+</div><!-- /.sidebar -->
+<div class="main">
+
+<h3>When should I encrypt? When should I sign?</h3>
+
+<p>The more you can encrypt your messages, the better. If you only encrypt
+emails occasionally, each encrypted message could raise a red flag for
+surveillance systems. If all or most of your email is encrypted, people
+doing surveillance won't know where to start. That's not to say that only
+encrypting some of your email isn't helpful -- it's a great start and it
+makes bulk surveillance more difficult.</p>
+
+<p>Unless you don't want to reveal your own identity (which requires other
+protective measures), there's no reason not to sign every message, whether or
+not you are encrypting. In addition to allowing those with GnuPG to verify
+that the message came from you, signing is a non-intrusive way to remind
+everyone that you use GnuPG and show support for secure communication. If you
+often send signed messages to people that aren't familiar with GnuPG, it's
+nice to also include a link to this guide in your standard email signature
+(the text kind, not the cryptographic kind).</p>
+
+</div><!-- End .main -->
+</div><!-- End #step-5a .step -->
+
+<!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
+<div id="step-5b" class="step">
+<div class="sidebar">
+
+<p><img
+src="//static.fsf.org/nosvn/enc-dev0/img/en/screenshots/section5-02-use-it-well.png"
+alt="Section 5: Use it Well (2)" /></p>
+
+</div><!-- /.sidebar -->
+<div class="main">
+
+<h3>Be wary of invalid keys</h3>
+
+<p>GnuPG makes email safer, but it's still important to watch out for invalid
+keys, which might have fallen into the wrong hands. Email encrypted with
+invalid keys might be readable by surveillance programs.</p>
+
+<p>In your email program, go back to the first encrypted email that Edward
+sent you. Because Edward encrypted it with your public key, it will have a
+message from Enigmail at the top, which most likely says "Enigmail: Part of
+this message encrypted."</p>
+
+<p><b>When using GnuPG, make a habit of glancing at that bar. The program
+will warn you there if you get an email signed with a key that can't
+be trusted.</b></p>
+
+</div><!-- End .main -->
+</div><!-- End #step-5b .step -->
+
+<!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
+<div id="step-5c" class="step">
+<div class="main">
+
+<h3>Copy your revocation certificate to somewhere safe</h3>
+
+<p>Remember when you created your keys and saved the revocation certificate
+that GnuPG made? It's time to copy that certificate onto the safest digital
+storage that you have -- the ideal thing is a flash drive, disk, or hard
+drive stored in a safe place in your home, not on a device you carry with
+you regularly.</p>
+
+<p>If your private key ever gets lost or stolen, you'll need this certificate
+file to let people know that you are no longer using that keypair.</p>
+
+</div><!-- End .main -->
+</div><!-- End #step-5c .step -->
+
+<!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
+<div id="step-lost_key" class="step">
+<div class="main">
+
+<h3><em>Important:</em> act swiftly if someone gets your private key</h3>
+
+<p>If you lose your private key or someone else gets ahold
+of it (say, by stealing or cracking your computer), it's
+important to revoke it immediately before someone else uses
+it to read your encrypted email or forge your signature. This
+guide doesn't cover how to revoke a key, but you can follow these <a
+href="https://www.hackdiary.com/2004/01/18/revoking-a-gpg-key/">instructions</a>.
+After you're done revoking, make a new key and send an email to everyone
+with whom you usually use your key to make sure they know, including a copy
+of your new key.</p>
+
+</div><!-- End .main -->
+</div><!-- End #step-lost_key .step-->
+
+<!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
+<!---<div id="transfer-key" class="step">
+<div class="main">
+
+<h3>Transferring you key</h3>
+
+<p>You can use Enigmail's <a
+href="https://www.enigmail.net/documentation/keyman.php">key management
+window</a> to import and export keys. If you want to be able to read
+your encrypted email on a different computer, you will need to export
+your secret key from here. Be warned, if you transfer the key without <a
+href="https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage">encrypting</a>
+the drive it's on the transfer will be dramatically less secure.</p>
+
+</div>--><!-- End .main
+</div> End #transfer-key .step-->
+
+<!-- ~~~~~~~~~ a div for each step ~~~~~~~~~ -->
+<div id="webmail-and-GnuPG" class="step">
+<div class="main">
+
+<h3>Webmail and GnuPG</h3>
+
+<p>When you use a web browser to access your email, you're using webmail,
+an email program stored on a distant website. Unlike webmail, your desktop
+email program runs on your own computer. Although webmail can't decrypt
+encrypted email, it will still display it in its encrypted form. If you
+primarily use webmail, you'll know to open your email client when you receive
+a scrambled email.</p>
+
+</div><!-- End .main -->
+</div><!-- End #webmail-and-GnuPG .step-->
+
+<!-- ~~~~~~~~~ a div for each step ~~~~~~~~~
+<div id="step-5d" class="step">
+<div class="main">
+
+<h3>Make your public key part of your online identity</h3>
+
+<p> First add your public key fingerprint to your email signature, then
+compose an email to at least five of your friends, telling them you just
+set up GnuPG and mentioning your public key fingerprint. Link to this guide
+and ask them to join you. Don't forget that there's also an awesome <a
+href="infographic.html">infographic to share.</a></p>
+
+<p class="notes">Start writing your public key fingerprint anywhere someone
+would see your email address: your social media profiles, blog, Website,
+or business card. (At the Free Software Foundation, we put ours on our
+<a href="https://fsf.org/about/staff">staff page</a>.) We need to get our
+culture to the point that we feel like something is missing when we see an
+email address without a public key fingerprint.</p>
+
+</div>--><!-- End .main
+</div> End #step-5d .step-->
+</div></section><!-- End #section5 -->
+
+<!-- ~~~~~~~~~ Section 6: Next steps ~~~~~~~~~ -->
+<section class="row" id="section6">
+<div id="step-click_here" class="step">
+<div class="main">
+
+<h2><a href="next_steps.html">Great job! Check out the next steps.</a></h2>
+
+</div><!-- End .main -->
+</div><!-- End #step-click_here .step-->
+</section><!-- End #section6 -->
+
+<!-- ~~~~~~~~~ FAQ ~~~~~~~~~ -->