-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 18/07/14 10:07, Nikos Roussos wrote:
On Fri, 2014-07-18 at 01:00 +0100, Allan Irving wrote:
Okay, so I've managed to set up PGP as per the documentation.
My question is how does signing work and when someone signs my key, does it go like this:
- I send them my public key, 2. They sign it.
Yes, but make sure that you send them your public key through a secure channel (ideally in person).
It is usually not necessary to send the public key in a secure channel. You can use the fingerprint to check the authenticity of the public key. The fingerprint on the other hand has to be verified in a "secure" channel, i.e. make sure you are really communicating with the owner of the key and not with a man-in-the-middle. Doing this in the phone or video chat for example is reasonably safe.
There are few cases when you want to keep your public key restricted to a small number of people, i.e. then you also don't want it to appear on a key-server. The reason for NOT submitting your public key to a key-server is that a person can make some statistics based on the signatures on your key and based on signatures of your key on other keys. This can reveal some information about your personality. (see also Roussos' comment below.)
I tend to sign only people I know. If I have to see an ID I don't sign the key :) But that's my personal rule. Everyone has his/her own rules for signing.
Right, in the end it's a matter of choice. That's why you can set the "owner trust" for each key in your key-chain individually, depending on how much your trust them in being careful and accurate in signing other keys. Anyhow, there are some generally agreed guidelines, for example NOT to sign a key just because it's in your address book. A partial remedy for the above mentioned problem of statistical analysis is to sign keys of random people (after validating their identity) at e.g. key-signing parties, at conferences, etc.
- They send me back the exported signed key, which now has
their signature.
Ideally they sign separately each uid of your key and send them to each email address, so they can also verify that you own these emails addresses.
There is a tool that automates this procedure https://wiki.debian.org/caff
Interesting tool, got to try it!
- I then import this into my keychain, and reupload it to a key
server and as an armoured file onto my website or wherever I post it for download.
Yes, but it's up to you if you want to publish a certain signature. Remember that the web of trust is public, so depending on your paranoia level you may or may not want to reveal that certain people trust you key :)
There is also a tool (that I can't recall now) that syncs your keyring asynchronously with multiple keyservers to prevent anyone from knowing which keys you have on your local keyring.
Again make sure that the file you upload on your website is distributed securely at least through https. For instance I serve it though https although the rest of my site is http only: http://www.roussos.cc/contact.html
~nikos
Good point! Another good thing is to have your key signed by CAcert, so people con verify the key's authenticity based on the trust they give to CAcert. ...rally...rally... ;)
Best, Jann
- -- Sent with open-source Free Software. Respect your freedoms! Send me encrypted messages for privacy. OpenPGP key: 8a30148a