HSC

Pretty Good Privacy - PGP

PGP is a technology allowing you to digitally sign and encrypt messages or documents. Using PKI (Public Key Infrastructure) technologies, each user has two keys: A public and a private one. When encrypting a message, you use the recipients public key and the system makes sure that only the matching private key can be used to decrypt the message. Signing is done with the private key and can be verified with the corresponding public one.

(Note that examples given are for the gpg command line version on UNIX only)

Key signing - Web of Trust

As everybody can generate his own keypair (as opposed to eg. certificates with S/MIME), their is a problem of trust inherent within a certificate (the container binding the public key to a identity). Everybody and his mother can generate a certificate with a identity of Hans A. Traber - but which one is the real Traber?

The PGP solution to this dilemma is the key signing. By signing the public key of Anna, you state that you have checked her identity and verified the attributes she provides and thus give a token of trust to the community that a unique public key really belongs to the person in question. This generates the web of trust as it binds keypairs implicitely together.

How to sign a Key

You need first to select the key (our example is using a DN of hans.traber@nowhere.land).

aragon$ gpg --edit-key hans.traber@nowhere.land

pub 1024D/F347ABCC created: xxxxxxxxxxxx
sub 4096g/AA23467A created: xxxxxxxxxxxx
(1) Hans Traber 

Command>

This informs you about the key content and gives you a prompt. You may check existing signatures on this key :

Command> check

uid Hans Traber 
sig xxxxxxxxxxxxxxxx
sig xxxxxxxxxxxxxxxx

Command>

Now you will sign the key and be asked possibly two questions:

Signature expiration
If the key has an expiration date, your signature should expire at the same date. Choose yes here.
Verification of ID
You will have to state how careful you checked the identity presented together with this key. Choose one.

Once you are through the dialog, you will need to enter the passphrase for your private key as signing is done with your private key so that other parties can verify your signature of this key with your public key.

Command> sign

xxxx

Once signed, you can immediately verify your action.

Command> check

uid Hans Traber 
sig xxxxxxxxxxxxxxxxxxxx
sig xxxxxxxxxxxxxxxxxxxx
sig [your key id] [date] [your name]

Command>

Leave the program by typing quit and confirm.

Command> quit
Save changes? y

You are done. The key is signed and altered in your public keyring. However, this will not be useful for anybody out there unless you publish the signature.

Publish / Send a Key

For a key to be available to others you have to publish it to a keyserver (or distribute it yourself). Once you signed a key or created a new one, send it to the nearest keyserver.

aragon$ gpg --send-keys hans.traber@nowhere.land --keyserver wwwkeys.eu.gpg.net

If the server has this key already registered, it will simply add the new signature to it. Keyservers will in general synchronize to each other so the new key (or signature) will be distributed to other servers after some short time.

You can ommit the keyserver if you have one configured in ~/.gnupg/gpg.conf. Note the following excerpt from the gpg sample configuration file (the last line represents my current setting) :

# GnuPG can import a key from a HKP keyerver if one is missing
# for sercain operations. Is you set this option to a keyserver
# you will be asked in such a case whether GnuPG should try to
# import the key from that server (server do syncronize with each
# others and DNS Round-Robin may give you a random server each time).
# Use "host -l pgp.net | grep www" to figure out a keyserver.
keyserver wwwkeys.eu.pgp.net

PGP Links

www.pgpi.org	International PGP Homepage
www.openpgp.org	OpenPGP Alliance
www.gnupg.org	The GNU Privacy Guard - GNU PGP Implemantation

Hans A. Traber

This man is somehow deeply connected with my in-head-storage-system dealing with biology. As far as I remember, he used to present television broadcasts about animals in the swiss national channel targeting at children. If you do not know him (which is more than likely), juxt take it as a good alternative to Bob or Alice.