Okay, so I've managed to set up PGP as per the documentation.
My question is how does signing work and when someone signs my key, does it go like this:
1. I send them my public key, 2. They sign it. 3. They send me back the exported signed key, which now has their signature. 4. I then import this into my keychain, and reupload it to a key server and as an armoured file onto my website or wherever I post it for download.
Hi Allan,
Allan Irving allanirving@allanirving.co.uk schrieb:
Okay, so I've managed to set up PGP as per the documentation.
My question is how does signing work and when someone signs my key, does it go like this:
- I send them my public key,
- They sign it.
Nobody should sign without checking your identity. People not knowing you will normally want to meet you in person.
- They send me back the exported signed key, which now has their
signature.
It's legitimate the other party uploads the key with their signature to a key server.
Best wishes Michael
I follow the stuff regarding who to sign etc.
So, what's the best way to keep it all in check after I receive a signature? Have them reupload it to a key server, preferably the main one - I should then download this and reupload it to my website accordingly as it will now contain a signature?
I presume a signature takes up little space else someone with many sigs could find they have a massive key?
*This message, and any attachments to it, may contain information that is privileged, confidential, copyrighted and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return email and delete the message and any attachments. *
On 18 July 2014 05:34, Michael Kesper mkesper@fsfe.org wrote:
Hi Allan,
Allan Irving allanirving@allanirving.co.uk schrieb:
Okay, so I've managed to set up PGP as per the documentation.
My question is how does signing work and when someone signs my key, does it go like this:
- I send them my public key,
- They sign it.
Nobody should sign without checking your identity. People not knowing you will normally want to meet you in person.
- They send me back the exported signed key, which now has their
signature.
It's legitimate the other party uploads the key with their signature to a key server.
Best wishes Michael
-- Diese Nachricht wurde mit Freier Software gesendet: http://fsfe.org
On 18/07/14 15:19, Allan Irving wrote:
I follow the stuff regarding who to sign etc.
So, what's the best way to keep it all in check after I receive a signature? Have them reupload it to a key server, preferably the main one - I should then download this and reupload it to my website accordingly as it will now contain a signature?
I presume a signature takes up little space else someone with many sigs could find they have a massive key?
All correct! That's a reasonable way to handle it IMO.
Some keys are a bit massive, if they have hundreds of signatures. For example this one:
http://pgp.mit.edu/pks/lookup?op=get&search=0xD2BB0D0165D0FD58
Best, Jann
Think I understand it now! :)
With the smart card, I presume I don't need to worry about creating a separate signing key etc? Saw it in the original Debian guide and it was confusing as hell
*This message, and any attachments to it, may contain information that is privileged, confidential, copyrighted and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return email and delete the message and any attachments. *
On 18 July 2014 13:25, Jann Eike Kruse jannkruse@fsfe.org wrote:
On 18/07/14 15:19, Allan Irving wrote:
I follow the stuff regarding who to sign etc.
So, what's the best way to keep it all in check after I receive a signature? Have them reupload it to a key server, preferably the main
one -
I should then download this and reupload it to my website accordingly as
it
will now contain a signature?
I presume a signature takes up little space else someone with many sigs could find they have a massive key?
All correct! That's a reasonable way to handle it IMO.
Some keys are a bit massive, if they have hundreds of signatures. For example this one:
http://pgp.mit.edu/pks/lookup?op=get&search=0xD2BB0D0165D0FD58
Best, Jann
-- Sent with open-source Free Software. Respect your freedoms! Send me encrypted messages for privacy. OpenPGP key: 8a30148a
On Fri, 2014-07-18 at 01:00 +0100, Allan Irving wrote:
Okay, so I've managed to set up PGP as per the documentation.
My question is how does signing work and when someone signs my key, does it go like this:
- I send them my public key,
- They sign it.
Yes, but make sure that you send them your public key through a secure channel (ideally in person).
I tend to sign only people I know. If I have to see an ID I don't sign the key :) But that's my personal rule. Everyone has his/her own rules for signing.
- They send me back the exported signed key, which now has their
signature.
Ideally they sign separately each uid of your key and send them to each email address, so they can also verify that you own these emails addresses.
There is a tool that automates this procedure https://wiki.debian.org/caff
- I then import this into my keychain, and reupload it to a key
server and as an armoured file onto my website or wherever I post it for download.
Yes, but it's up to you if you want to publish a certain signature. Remember that the web of trust is public, so depending on your paranoia level you may or may not want to reveal that certain people trust you key :)
There is also a tool (that I can't recall now) that syncs your keyring asynchronously with multiple keyservers to prevent anyone from knowing which keys you have on your local keyring.
Again make sure that the file you upload on your website is distributed securely at least through https. For instance I serve it though https although the rest of my site is http only: http://www.roussos.cc/contact.html
~nikos
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 18/07/14 10:07, Nikos Roussos wrote:
On Fri, 2014-07-18 at 01:00 +0100, Allan Irving wrote:
Okay, so I've managed to set up PGP as per the documentation.
My question is how does signing work and when someone signs my key, does it go like this:
- I send them my public key, 2. They sign it.
Yes, but make sure that you send them your public key through a secure channel (ideally in person).
It is usually not necessary to send the public key in a secure channel. You can use the fingerprint to check the authenticity of the public key. The fingerprint on the other hand has to be verified in a "secure" channel, i.e. make sure you are really communicating with the owner of the key and not with a man-in-the-middle. Doing this in the phone or video chat for example is reasonably safe.
There are few cases when you want to keep your public key restricted to a small number of people, i.e. then you also don't want it to appear on a key-server. The reason for NOT submitting your public key to a key-server is that a person can make some statistics based on the signatures on your key and based on signatures of your key on other keys. This can reveal some information about your personality. (see also Roussos' comment below.)
I tend to sign only people I know. If I have to see an ID I don't sign the key :) But that's my personal rule. Everyone has his/her own rules for signing.
Right, in the end it's a matter of choice. That's why you can set the "owner trust" for each key in your key-chain individually, depending on how much your trust them in being careful and accurate in signing other keys. Anyhow, there are some generally agreed guidelines, for example NOT to sign a key just because it's in your address book. A partial remedy for the above mentioned problem of statistical analysis is to sign keys of random people (after validating their identity) at e.g. key-signing parties, at conferences, etc.
- They send me back the exported signed key, which now has
their signature.
Ideally they sign separately each uid of your key and send them to each email address, so they can also verify that you own these emails addresses.
There is a tool that automates this procedure https://wiki.debian.org/caff
Interesting tool, got to try it!
- I then import this into my keychain, and reupload it to a key
server and as an armoured file onto my website or wherever I post it for download.
Yes, but it's up to you if you want to publish a certain signature. Remember that the web of trust is public, so depending on your paranoia level you may or may not want to reveal that certain people trust you key :)
There is also a tool (that I can't recall now) that syncs your keyring asynchronously with multiple keyservers to prevent anyone from knowing which keys you have on your local keyring.
Again make sure that the file you upload on your website is distributed securely at least through https. For instance I serve it though https although the rest of my site is http only: http://www.roussos.cc/contact.html
~nikos
Good point! Another good thing is to have your key signed by CAcert, so people con verify the key's authenticity based on the trust they give to CAcert. ...rally...rally... ;)
Best, Jann
- -- Sent with open-source Free Software. Respect your freedoms! Send me encrypted messages for privacy. OpenPGP key: 8a30148a
Allan Irving allanirving@allanirving.co.uk writes:
My question is how does signing work and when someone signs my key, does it go like this:
A good way to understand what's involved in keysigning in practice is to read instructions for participating in keysigning events.
The Debian instructions are short and simple: https://wiki.debian.org/Keysigning
And the GPG Keysigning Party HOWTO goes into much more detail: http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
Thanks,