This page moved to WordPress by ChrisDennis, 4 Feb 2013

(Page locked because of SPAM, contact Adam or Dan if you want to edit it.)

I'm not going to discuss here how to handle the simple mechanics of getting PGP (or GnuPG) to manage keys. Neither am I going to go through the basics of public key cryptography. I'll leave that for others to do, and assume here that you know about both of those. (If you want to know more about setting up GPG and how it works, try the mini-howto. Instead, I want to describe the steps that people normally go through to sign someone else's key, and why all of those steps should be done.

Key signing - a brief background

A cryptographic key pair is a statement of identity. Possession and use of the private key is related to who you are. Signing an email with your key is a statement that "the owner of this key has signed this email and (presumably) agrees with its content".

A signature on a key is a statement from the signer that the signer believes the statement of identity made by the key is true. So, everyone should have a self-signed key (since if you don't believe your key describes you, then you've got bigger problems that I can help you with...). If I sign your key, then I'm saying that I believe your key has accurate information describing your identity.

The problem

There are a number of things which a key ties together in its statement of identity:

Now, if I haven't ever met someone (or I've only met them on-line), I can't sign their key, because I can't be sure that someone claiming online to be, say, AndyRansom actually is Andy Ransom. It might be someone attempting an identity fraud; it might be someone performing a man-in-the-middle attack on our email communications. Even if I meet them, I want to make sure that I've tied together all four bits of information above and verified that they are all talking about the same thing. To do this, we need to follow a protocol to ensure that it all ties together.

The protocol

If I'm going to sign your key, then the protocol to follow is this:

pub  1024D/1C335860 2001-03-23 Hugo Ranger Mills (For work-related emails) <hugo@soton.ac.uk>

     Key fingerprint = B997 A9F1 782D D1FD 9F87  5542 B2C2 7BC2 1C33 5860
uid                            Hugo Ranger Mills <hugo@carfax.nildram.co.uk>
uid                            Hugo Ranger Mills <hugo@lug.org.uk>
uid                            Hugo Ranger Mills <hugo@darksatanic.net>
uid                            Hugo Ranger Mills <hugo@carfax.org.uk>
sub  2048g/3C044DA8 2001-03-23

If you cannot remember how to get a key fingerprint the command is

gpg --fingerprint 'yourname' > filename

and then you can print as many copies of filename as you like.

Then, when I get back home, we do the following:

$ gpg --import filename

$ gpg --keyserver hkp://wwwkeys.eu.pgp.net --recv-keys UID

$ gpg --fingerprint UID

dd if=/dev/random count=64 bs=1 | hexdump

$ gpg --ask-cert-level --sign-key UID

You will be asked to state how carefully you have checked the identity: if you have followed the above steps, you can choose

(3) I have done very careful checking.

gpg --send-key UID

Job done.

I would urge you strongly to use this technique every time you sign someone's key. If you don't, then you're potentially making false statements about someone (although they may want you to make these false statements!).

Web of Trust

One problem with the above protocol is that it becomes very tedious to make any assertion, however weak, about the identity of a person with whom you intend to communicate. PGP/GnuPG allows you to maintain an owner trust database: a database of the extent to which you trust the owners of keys to follow the above procedure rigorously before they will certify someone's identity.

If you trust the owner of a key to do this, you are stating that you believe to some extent that you can trust any keys that they have certified.

Note that there are two different concepts of trust here. Key trust is the amount you trust that the owner of the key is who he/she claims to be. Owner trust is the amount you trust the owner of the key to make accurate assessments of identity. Key trust is computed from owner trust. You cannot modify key trust directly.

To modify owner trust levels from the CLI, use:

$ gpg --edit-key UID

Then enter

Command> trust

You will be asked to choose a level indicating how must you trust the owner of the key to correctly perform the above checks before signing a key:

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately

Do not choose ultimate owner trust. This is for your own keys only.

Enter

Command> quit

to exit. You do not need to save the key (the trust database is updated immediately when you change the trust levels).

LinuxHints/KeySigning (last edited 2013-02-04 01:13:58 by ChrisDennis)