Pretty Good Privacy - PGP
PGP is a technology allowing you to digitally sign and encrypt messages or documents.
Using PKI (Public Key Infrastructure) technologies, each user has two keys: A public and a private one.
When encrypting a message, you use the recipients public key and the system makes sure that only the
matching private key can be used to decrypt the message. Signing is done with the private key and can be verified with
the corresponding public one.
(Note that examples given are for the gpg command line version on UNIX only)
Key signing - Web of Trust
As everybody can generate his own keypair (as opposed to eg. certificates with S/MIME), their is a problem of trust
inherent within a certificate (the container binding the public key to a identity). Everybody and his mother can generate
a certificate with a identity of Hans A. Traber - but which one is the real Traber?
The PGP solution to this dilemma is the key signing. By signing the public key of Anna, you state that you have checked
her identity and verified the attributes she provides and thus give a token of trust to the community that a unique
public key really belongs to the person in question. This generates the web of trust as it binds keypairs implicitely
together.
How to sign a Key
You need first to select the key (our example is using a DN of hans.traber@nowhere.land).
aragon$ gpg --edit-key hans.traber@nowhere.land
pub 1024D/F347ABCC created: xxxxxxxxxxxx
sub 4096g/AA23467A created: xxxxxxxxxxxx
(1) Hans Traber
Command>
This informs you about the key content and gives you a prompt. You may check existing signatures on this key :
Command> check
uid Hans Traber
sig xxxxxxxxxxxxxxxx
sig xxxxxxxxxxxxxxxx
Command>
Now you will sign the key and be asked possibly two questions:
- Signature expiration
If the key has an expiration date, your signature should expire at the same date. Choose yes here.
- Verification of ID
You will have to state how careful you checked the identity presented together with this key. Choose one.
Once you are through the dialog, you will need to enter the passphrase for your private key as signing is done with
your private key so that other parties can verify your signature of this key with your public key.
Command> sign
xxxx
Once signed, you can immediately verify your action.
Command> check
uid Hans Traber
sig xxxxxxxxxxxxxxxxxxxx
sig xxxxxxxxxxxxxxxxxxxx
sig [your key id] [date] [your name]
Command>
Leave the program by typing quit and confirm.
Command> quit
Save changes? y
You are done. The key is signed and altered in your public keyring. However, this will not be useful for anybody out there
unless you publish the signature.
Publish / Send a Key
For a key to be available to others you have to publish it to a keyserver (or distribute it yourself). Once you signed a key
or created a new one, send it to the nearest keyserver.
aragon$ gpg --send-keys hans.traber@nowhere.land --keyserver wwwkeys.eu.gpg.net
If the server has this key already registered, it will simply add the new signature to it. Keyservers will in general
synchronize to each other so the new key (or signature) will be distributed to other servers after some short time.
You can ommit the keyserver if you have one configured in ~/.gnupg/gpg.conf. Note the following excerpt from the
gpg sample configuration file (the last line represents my current setting) :
# GnuPG can import a key from a HKP keyerver if one is missing
# for sercain operations. Is you set this option to a keyserver
# you will be asked in such a case whether GnuPG should try to
# import the key from that server (server do syncronize with each
# others and DNS Round-Robin may give you a random server each time).
# Use "host -l pgp.net | grep www" to figure out a keyserver.
keyserver wwwkeys.eu.pgp.net
PGP Links
Hans A. Traber
This man is somehow deeply connected with my in-head-storage-system dealing with biology. As far as I remember, he
used to present television broadcasts about animals in the swiss national channel targeting at children. If you do
not know him (which is more than likely), juxt take it as a good alternative to Bob or Alice.