Re: My Public Key!

Discussion in 'Computer Support' started by Mike Easter, Jun 27, 2010.

  1. Mike Easter

    Mike Easter Guest

    Justin wrote:
    > Here is my public key.


    The proper way to publicize your public key is to upload it to a public
    keyserver or servers.

    The proper way to 'proselytize' your interest in pgp/gpg would be to
    simply put your key id someplace like your sig and notice of where the
    public key can be found.

    The improper way to proselytize pgp/gpg is to post clear signed messages
    or keys or encrypted messages into groups which are not committed to
    pgp/gpg security discussions. Such interested groups are
    alt.security.pgp and a few others.

    Also realize that a severe limitation of trying to share public keys by
    way of such as your uploading a public key to this newsgroup as you did
    or to a public keyserver as I described is that there is no web of
    trust, which is an essential ingredient for a meaningful use of public
    private keys for encryption or clearsigning.


    --
    Mike Easter
     
    Mike Easter, Jun 27, 2010
    #1
    1. Advertising

  2. Mike Easter

    Nomen Nescio Guest

    In article <zVvVn.973$>
    Mike Easter <> wrote:
    >
    > Justin wrote:
    > > Here is my public key.

    >
    > The proper way to publicize your public key is to upload it to a public
    > keyserver or servers.


    snipped

    > Also realize that a severe limitation of trying to share public keys by
    > way of such as your uploading a public key to this newsgroup as you did
    > or to a public keyserver as I described is that there is no web of
    > trust, which is an essential ingredient for a meaningful use of public
    > private keys for encryption or clearsigning.
    >
    >
    > --
    > Mike Easter



    What does that last paragraph mean? Why is it insecure to upload
    your key to a group or to a key server?
     
    Nomen Nescio, Jun 27, 2010
    #2
    1. Advertising

  3. Mike Easter

    Mike Easter Guest

    Nomen Nescio wrote:
    > Mike Easter


    >> Also realize that a severe limitation of trying to share public keys by
    >> way of such as your uploading a public key to this newsgroup as you did
    >> or to a public keyserver as I described is that there is no web of
    >> trust, which is an essential ingredient for a meaningful use of public
    >> private keys for encryption or clearsigning.


    > What does that last paragraph mean? Why is it insecure to upload
    > your key to a group or to a key server?


    I used the word 'limitation' - you used the word 'insecure'.

    The problem with an exchange of public keys by public keyserver or a
    newsgroup which publication is distinctly lacking a web of trust is that
    there is no 'web of trust' - some verification process - established
    that the entity which is uploading the public key is actually the entity
    that it is claiming to be.

    The idea behind a web of trust or a certification agency is that there
    is a process by which some entity's public key is established to belong
    to that 'known' entity.

    Anyone could say they were 'justin' and upload a key to a newsgroup or a
    keyserver.


    --
    Mike Easter
     
    Mike Easter, Jun 27, 2010
    #3
  4. Mike Easter

    Mike Easter Guest

    Mike Easter wrote:

    > The idea behind a web of trust or a certification agency is that there
    > is a process by which some entity's public key is established to belong
    > to that 'known' entity.


    Here's a good description of how the pgp web of trust works.

    http://www.rubin.ch/pgp/weboftrust.en.html Explanation of the web of
    trust of PGP


    --
    Mike Easter
     
    Mike Easter, Jun 27, 2010
    #4
  5. Mike Easter

    Guest

    On Sun, 27 Jun 2010 10:25:16 -0700, Mike Easter <>
    wrote:

    >Mike Easter wrote:
    >
    >> The idea behind a web of trust or a certification agency is that there
    >> is a process by which some entity's public key is established to belong
    >> to that 'known' entity.

    >
    >Here's a good description of how the pgp web of trust works.
    >
    >http://www.rubin.ch/pgp/weboftrust.en.html Explanation of the web of
    >trust of PGP



    It seems that AT&T Path-Server and the experimental

    http://the.earth.li/~noodles/pathfind.html.

    are no longer available.
     
    , Jun 27, 2010
    #5
  6. Mike Easter

    Nomen Nescio Guest

    In article <>
    Mike Easter <> wrote:
    >
    > Mike Easter wrote:
    >
    > > The idea behind a web of trust or a certification agency is that there
    > > is a process by which some entity's public key is established to belong
    > > to that 'known' entity.

    >
    > Here's a good description of how the pgp web of trust works.
    >
    > http://www.rubin.ch/pgp/weboftrust.en.html Explanation of the web of
    > trust of PGP
    >
    >
    > --
    > Mike Easter



    Great page. Explains if clearly and fully.

    Thanks.
     
    Nomen Nescio, Jun 27, 2010
    #6
  7. Mike Easter

    Nomen Nescio Guest

    In article <>
    Mike Easter <> wrote:
    >
    > Nomen Nescio wrote:
    > > Mike Easter

    >
    > >> Also realize that a severe limitation of trying to share public keys by
    > >> way of such as your uploading a public key to this newsgroup as you did
    > >> or to a public keyserver as I described is that there is no web of
    > >> trust, which is an essential ingredient for a meaningful use of public
    > >> private keys for encryption or clearsigning.

    >
    > > What does that last paragraph mean? Why is it insecure to upload
    > > your key to a group or to a key server?

    >
    > I used the word 'limitation' - you used the word 'insecure'.



    I had thought of that *after* hitting the Send button. :0)


    > The problem with an exchange of public keys by public keyserver or a
    > newsgroup which publication is distinctly lacking a web of trust is that
    > there is no 'web of trust' - some verification process - established
    > that the entity which is uploading the public key is actually the entity
    > that it is claiming to be.



    Understood.


    > The idea behind a web of trust or a certification agency is that there
    > is a process by which some entity's public key is established to belong
    > to that 'known' entity.
    >
    > Anyone could say they were 'justin' and upload a key to a newsgroup or a
    > keyserver.
    >
    >
    > --
    > Mike Easter


    Thank you. Makes sense.

    Does 'signing' a key help? If so, how?
     
    Nomen Nescio, Jun 27, 2010
    #7
  8. Mike Easter

    Mike Easter Guest

    Nomen Nescio wrote:

    > Does 'signing' a key help? If so, how?


    Absolutely, or rather yes, (but) not /necessarily/ absolutely -- if you
    'know' the person/entity who signed the key -- or if a 'web' can be
    constructed by which an unknown signer is known by someone who is
    known/trusted by you.

    Therein lies the web concept, this part of the web isn't attached
    directly to that part, but this part is attached to another part which
    is attached to that part.

    --
    Mike Easter
     
    Mike Easter, Jun 27, 2010
    #8
  9. Mike Easter

    Mike Easter Guest

    Mike Easter, Jun 27, 2010
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page