[kwlug-disc] Generating and using PGP keys

Chris Frey cdfrey at foursquare.net
Thu Feb 19 19:19:17 EST 2009

On Thu, Feb 19, 2009 at 04:35:50PM -0500, R. Brent Clements wrote:
> This conversation may have been had on this list once before, but I
> don't seem to have that part of my old email anymore.
> All this talk about security has made me start to rethink the way I
> use my computers and the internet.  So I thought I should pay some
> attention to the signatures that I do see on some of your emails from
> time to time.

GPG only gives you two things:

	- authentication
	- privacy between other GPG users

I've found that practically, I have little use for either of them.
If I'm sending email to a public mailing list, encryption makes no sense,
and I haven't had enough of a problem with Chris Frey impersonators to
make signing worth it. :-)

But of course, in those few places I need it, it is invaluable.

> To that end, I have looked into GPG, and I can understand how it works
> and why it works.  I was just wondering how everyone here uses it.

I use signing when sending business related documents by email, such as
invoices.  I use encryption for one-on-one email where an extra level of
privacy makes sense.  I also use encryption when creating system backups,
since the usual file permissions mean nothing if someone gains a copy
of the backup media. :-)

(This also means you need to make backups of your private keys as well,
or your backups are useless).

A lot of my email goes to tech mailing lists, and GPG doesn't come into
the picture at all for that.

> I have created a Master key using the tool in Ubuntu.  I understand
> the signing process.  But I would like to know what more I should do,
> and what I should bring with me when I get people to sign my key.

The keysigning party howto is probably the best on this topic.
As for what to bring, I'd recommend:

	- slips of paper with your GPG fingerprint on it, to make it easy
		to hand out
	- some kind of ID with your name on it... preferrably a photo ID
		Some people want two forms of ID, but that depends on
		the person doing the signing.  For me, I already know
		you, so I'd just want to make sure you haven't been
		using an alias all this time. :-)

> There is a lot of talk about subkeys and using my key to sign my own
> additional keys.  So what do people suggest?  Should I have another
> key that I get people to sign?  or get them to sign my master key?
> should they be unrelated or connected in a sub-key relationship?

The default DSA + ElGamal set of keypairs generated by GPG is fine.
GPG uses the DSA for signing things, and the Elgamal for encryption.
The purpose of the keys can be viewed with:

	gpg --edit-key your at emailaddress.com
	> list
	> quit

If this is your first time getting into GPG, I wouldn't complicate things
until you get used to the daily usage.  You can always create an entirely
new key and sign it with your current key... they don't have to be

In fact, you can make as many keys as you need for various purposes.
I'd keep one personal one for email (your "Real Identity"), which
everyone signs.  Then you may want to create a pair for backups, or for
software releases or music mixes on the internet.  A key pair is not
something you must get correct the first time for the rest of your life.

> Then of course once I am ready I will be asking to all to sign it.
> Should we maybe make an anouncement to that effect for the next
> meeting so others can get it done too if need be?

I think it would be a great idea to have informal keysignings at every
meeting.  Anyone who is interested asks on the list, and then it gets
included in the official meeting announcement.

- Chris

More information about the kwlug-disc mailing list