Fwd: PGP Signing

Jann Eike Kruse jannkruse at fsfe.org
Fri Jul 18 07:45:17 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18/07/14 10:07, Nikos Roussos wrote:
> On Fri, 2014-07-18 at 01:00 +0100, Allan Irving wrote:
>> 
>> Okay, so I've managed to set up PGP as per the documentation.
>> 
>> My question is how does signing work and when someone signs my
>> key, does it go like this:
>> 
>> 1. I send them my public key, 2. They sign it.
> 
> Yes, but make sure that you send them your public key through a
> secure channel (ideally in person).

It is usually not necessary to send the public key in a secure
channel. You can use the fingerprint to check the authenticity of the
public key. The fingerprint on the other hand has to be verified in a
"secure" channel, i.e. make sure you are really communicating with the
owner of the key and not with a man-in-the-middle. Doing this in the
phone or video chat for example is reasonably safe.

There are few cases when you want to keep your public key restricted
to a small number of people, i.e. then you also don't want it to
appear on a key-server. The reason for NOT submitting your public key
to a key-server is that a person can make some statistics based on the
signatures on your key and based on signatures of your key on other
keys. This can reveal some information about your personality. (see
also Roussos' comment below.)

> I tend to sign only people I know. If I have to see an ID I don't
> sign the key :) But that's my personal rule. Everyone has his/her
> own rules for signing.

Right, in the end it's a matter of choice. That's why you can set the
"owner trust" for each key in your key-chain individually, depending
on how much your trust them in being careful and accurate in signing
other keys.
Anyhow, there are some generally agreed guidelines, for example NOT to
sign a key just because it's in your address book.
A partial remedy for the above mentioned problem of statistical
analysis is to sign keys of random people (after validating their
identity) at e.g. key-signing parties, at conferences, etc.

>> 3. They send me back the exported signed key, which now has
>> their signature.
> 
> Ideally they sign separately each uid of your key and send them to
> each email address, so they can also verify that you own these
> emails addresses.
> 
> There is a tool that automates this procedure 
> https://wiki.debian.org/caff
> 

Interesting tool, got to try it!

>> 4. I then import this into my keychain, and reupload it to a key 
>> server and as an armoured file onto my website or wherever I post
>> it for download.
> 
> Yes, but it's up to you if you want to publish a certain
> signature. Remember that the web of trust is public, so depending
> on your paranoia level you may or may not want to reveal that
> certain people trust you key :)
> 
> There is also a tool (that I can't recall now) that syncs your
> keyring asynchronously with multiple keyservers to prevent anyone
> from knowing which keys you have on your local keyring.
> 
> Again make sure that the file you upload on your website is
> distributed securely at least through https. For instance I serve
> it though https although the rest of my site is http only:
> http://www.roussos.cc/contact.html
> 
> ~nikos

Good point!
Another good thing is to have your key signed by CAcert, so people con
verify the key's authenticity based on the trust they give to CAcert.
...rally...rally... ;)

Best,
Jann

- -- 
Sent with open-source Free Software. Respect your freedoms!
Send me encrypted messages for privacy. OpenPGP key: 8a30148a
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQEcBAEBAgAGBQJTyNCNAAoJEC9YRhK61gPMKNsIAIquX5NLheFGTw1HnRFxYM95
PjTZVmn3i7KgX8qmAxlFu1AQraQ7VYqMs6tw3ZFdI8lly6dT8J0wxGu4JCFZIV6C
xmqdTxhj6Uo82yAQjOVaZzr/RA3CBEGhOteCoIbpCZm4i5AA9/Azs2AGhlO83fsR
L6NVBW36I/2n4tkJgPSPLXKpyDUXw7H3Q6+6D5kIwR4vxs/uwM9Qblam9M5Dq7Ft
QV/7I8r996z/Pu77H4h+CtFILuYYfiEsd6cGEJ56foaHA7X5+6f4wUMwcC71iyfk
5sTbC31PxVslLv7lzVyyQcXY0b3OZQQl/IlOfHPZgNFYoWb2wqdvEp/x5iJGYNE=
=GEAW
-----END PGP SIGNATURE-----



More information about the Discussion mailing list