Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Support (http://www.velocityreviews.com/forums/f33-computer-support.html)
-   -   Re: My Public Key! (http://www.velocityreviews.com/forums/t726654-re-my-public-key.html)

Mike Easter 06-26-2010 11:18 PM

Re: My Public Key!
 
Justin wrote:
> Here is my public key.


The proper way to publicize your public key is to upload it to a public
keyserver or servers.

The proper way to 'proselytize' your interest in pgp/gpg would be to
simply put your key id someplace like your sig and notice of where the
public key can be found.

The improper way to proselytize pgp/gpg is to post clear signed messages
or keys or encrypted messages into groups which are not committed to
pgp/gpg security discussions. Such interested groups are
alt.security.pgp and a few others.

Also realize that a severe limitation of trying to share public keys by
way of such as your uploading a public key to this newsgroup as you did
or to a public keyserver as I described is that there is no web of
trust, which is an essential ingredient for a meaningful use of public
private keys for encryption or clearsigning.


--
Mike Easter

Nomen Nescio 06-27-2010 04:25 PM

Re: My Public Key!
 
In article <zVvVn.973$Lj2.683@newsfe05.iad>
Mike Easter <MikeE@ster.invalid> wrote:
>
> Justin wrote:
> > Here is my public key.

>
> The proper way to publicize your public key is to upload it to a public
> keyserver or servers.


snipped

> Also realize that a severe limitation of trying to share public keys by
> way of such as your uploading a public key to this newsgroup as you did
> or to a public keyserver as I described is that there is no web of
> trust, which is an essential ingredient for a meaningful use of public
> private keys for encryption or clearsigning.
>
>
> --
> Mike Easter



What does that last paragraph mean? Why is it insecure to upload
your key to a group or to a key server?







Mike Easter 06-27-2010 04:57 PM

Re: My Public Key!
 
Nomen Nescio wrote:
> Mike Easter


>> Also realize that a severe limitation of trying to share public keys by
>> way of such as your uploading a public key to this newsgroup as you did
>> or to a public keyserver as I described is that there is no web of
>> trust, which is an essential ingredient for a meaningful use of public
>> private keys for encryption or clearsigning.


> What does that last paragraph mean? Why is it insecure to upload
> your key to a group or to a key server?


I used the word 'limitation' - you used the word 'insecure'.

The problem with an exchange of public keys by public keyserver or a
newsgroup which publication is distinctly lacking a web of trust is that
there is no 'web of trust' - some verification process - established
that the entity which is uploading the public key is actually the entity
that it is claiming to be.

The idea behind a web of trust or a certification agency is that there
is a process by which some entity's public key is established to belong
to that 'known' entity.

Anyone could say they were 'justin' and upload a key to a newsgroup or a
keyserver.


--
Mike Easter

Mike Easter 06-27-2010 05:25 PM

Re: My Public Key!
 
Mike Easter wrote:

> The idea behind a web of trust or a certification agency is that there
> is a process by which some entity's public key is established to belong
> to that 'known' entity.


Here's a good description of how the pgp web of trust works.

http://www.rubin.ch/pgp/weboftrust.en.html Explanation of the web of
trust of PGP


--
Mike Easter

thadl@no.place.near.here.com 06-27-2010 05:50 PM

Re: My Public Key!
 
On Sun, 27 Jun 2010 10:25:16 -0700, Mike Easter <MikeE@ster.invalid>
wrote:

>Mike Easter wrote:
>
>> The idea behind a web of trust or a certification agency is that there
>> is a process by which some entity's public key is established to belong
>> to that 'known' entity.

>
>Here's a good description of how the pgp web of trust works.
>
>http://www.rubin.ch/pgp/weboftrust.en.html Explanation of the web of
>trust of PGP



It seems that AT&T Path-Server and the experimental

http://the.earth.li/~noodles/pathfind.html.

are no longer available.

Nomen Nescio 06-27-2010 06:10 PM

Re: My Public Key!
 
In article <88pfrsF4pmU1@mid.individual.net>
Mike Easter <MikeE@ster.invalid> wrote:
>
> Mike Easter wrote:
>
> > The idea behind a web of trust or a certification agency is that there
> > is a process by which some entity's public key is established to belong
> > to that 'known' entity.

>
> Here's a good description of how the pgp web of trust works.
>
> http://www.rubin.ch/pgp/weboftrust.en.html Explanation of the web of
> trust of PGP
>
>
> --
> Mike Easter



Great page. Explains if clearly and fully.

Thanks.









Nomen Nescio 06-27-2010 06:20 PM

Re: My Public Key!
 
In article <88pe8jFrgfU1@mid.individual.net>
Mike Easter <MikeE@ster.invalid> wrote:
>
> Nomen Nescio wrote:
> > Mike Easter

>
> >> Also realize that a severe limitation of trying to share public keys by
> >> way of such as your uploading a public key to this newsgroup as you did
> >> or to a public keyserver as I described is that there is no web of
> >> trust, which is an essential ingredient for a meaningful use of public
> >> private keys for encryption or clearsigning.

>
> > What does that last paragraph mean? Why is it insecure to upload
> > your key to a group or to a key server?

>
> I used the word 'limitation' - you used the word 'insecure'.



I had thought of that *after* hitting the Send button. :0)


> The problem with an exchange of public keys by public keyserver or a
> newsgroup which publication is distinctly lacking a web of trust is that
> there is no 'web of trust' - some verification process - established
> that the entity which is uploading the public key is actually the entity
> that it is claiming to be.



Understood.


> The idea behind a web of trust or a certification agency is that there
> is a process by which some entity's public key is established to belong
> to that 'known' entity.
>
> Anyone could say they were 'justin' and upload a key to a newsgroup or a
> keyserver.
>
>
> --
> Mike Easter


Thank you. Makes sense.

Does 'signing' a key help? If so, how?














Mike Easter 06-27-2010 07:06 PM

Re: My Public Key!
 
Nomen Nescio wrote:

> Does 'signing' a key help? If so, how?


Absolutely, or rather yes, (but) not /necessarily/ absolutely -- if you
'know' the person/entity who signed the key -- or if a 'web' can be
constructed by which an unknown signer is known by someone who is
known/trusted by you.

Therein lies the web concept, this part of the web isn't attached
directly to that part, but this part is attached to another part which
is attached to that part.

--
Mike Easter

Mike Easter 06-27-2010 07:32 PM

Re: My Public Key!
 
thadl@no.place.near.here.com wrote:
> Mike Easter


>> Here's a good description of how the pgp web of trust works.


> It seems that AT&T Path-Server and the experimental
>
> http://the.earth.li/~noodles/pathfind.html.
>
> are no longer available.


Tom McCune's site is very useful for pgp stuff

http://www.mccune.cc/PGP.htm Tom McCune's page for Pretty Good Privacy

.... and David Ross http://www.rossde.com/PGP/

Here's a path finder http://pgp.cs.uu.nl/ PGP pathfinder & key statistics


--
Mike Easter


All times are GMT. The time now is 07:57 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.