GPG/PGP public keys

Kevin Cole
Gallaudet Research Institute
kevin.cole@gallaudet.edu
Copyright © 2002

Thanks to Federico Grau (a.k.a. donfede) <donfede@casagrau.org>

PGP/GPG Public keys, fingerprints, etc

If you receive a lot of mail from someone who uses Pretty Good Privacy (PGP) or the GNU Privacy Guard (GPG), you may get tired of seeing the junk at the bottom of their messages. If your mail software is capable of working with PGP or GPG, you can make these messages a lot cleaner, and in the process, verify the legitimacy of the messages.

Start by examining the sender's plain-text (i.e. human-readable) signature and look for either a Key ID a Fingerprint or a URL listing where to find the user's Public key.

gpg --import «newkey».asc

After meeting in person, and satisfying for yourself that the person is who they claim to be, you can lend legitimacy to their public key by signing it with your public key. This is a way of giving the key your stamp of authenticity. Identity should be verified using a government issued picture ID.

gpg --list-keys | grep -i «person»
gpg --sign-key «key ID»
gpg --edit-key «key ID»
sign
trust
quit
gpg --armor -o signed.asc --export-key «key ID»
gpg --send-keys «key ID»

Run the following command to confirm your key id and key fingerprint.

$ gpg --fingerprint cole
pub 1024D/E6F332C7 2002-04-16 Kevin Cole (Gallaudet University) <kevin.cole@gallaudet.edu>
Key fingerprint = 75E2 0A77 FC0C 2128 F3B3 AA07 87CE F4D8 E6F3 32C7
sub 2048g/8B2232AD 2002-04-16

Print (or write if you like), that information and bring it to the meeting. I will do the same (I keep a couple slips in my wallet to hand out, more sophisticated people include that information on their business cards).

At the meeting I we will confirm each others identity (check drivers license or other form of id). We then exchange the printouts that we brought.

Once home we will sign each others keys using the "sign-key" parameter (passing to it each others hex key id from the printout we got. You will be shown the same information from the printout (hex key id, associated email, fingerprint). Carefully confirm the information on the printout matches the key you got off the net.

$ gpg --sign-key E6F332C7

pub 1024D/E6F332C7 created: 2002-04-16 expires: never trust: -/q
sub 2048g/8B2232AD created: 2002-04-16 expires: never
(1). Kevin Cole (Gallaudet University) <kevin.cole@gallaudet.edu>


pub 1024D/E6F332C7 created: 2002-04-16 expires: never trust: -/q
Fingerprint: 75E2 0A77 FC0C 2128 F3B3 AA07 87CE F4D8 E6F3 32C7

Kevin Cole (Gallaudet University) <kevin.cole@gallaudet.edu>

Are you really sure that you want to sign this key
with your key: "Federico Grau (personal key) <donfede@casagrau.org>"

Really sign?

Once the we sign the key, email it back to the other person and also post it to your public keyserver.

that's about it.

What's involved in a signing?

I mean, I know what the purpose is, but I don't know the procedure. Do we just show up with a piece of paper with the ASCII armored key and say "Yup, that's me." or what?

Keep a copy of your public key on a separate web page so people can easily cut and paste it. Send your keys to wwwkeys.us.pgp.net and www.keyserver.net. Include your Key ID or fingerprint in your plain-text signature.