many questions

Neil Williams linux at codehelp.co.uk
Mon Aug 2 21:52:12 CEST 2004


On Monday 02 August 2004 7:33, F. Rodriguez wrote:
> Stuardo - StR - Rodriguez wrote:
> > 1) Can I create all the keys in a single machine to export them to the
> > other machines?
>
> Yes. I would create one keyring with all public keys and separate
> keyrings for the private keys on each machine.

Generating all the keys yourself is a bad idea - generating them all on one 
machine (each key generated by the final user) is a practical problem. You 
shouldn't expect people to trust a key generated by someone else! (Generating 
a key requires setting the passphrase and it isn't wise to use a key to which 
someone else has a passphrase. Even if the user changes the passphrase in 
their private key, what is to say that you haven't kept an old private key 
with your own passphrase? Multiple copies of private keys with different 
people should be avoided.

> > 2) I do not understand the trusting thing....

That much is plain from your first question.
:-)

Try reading these:
http://www.dclug.org.uk/linux_doc/startgnupg.html
http://www.dclug.org.uk/linux_doc/gnupgsign.html

> > If I have a key - like a super key and it  y sign the other 100 keys (i

Yes. Each of those then needs to sign your key and be signed by your key. i.e. 
two way signatures, A signs B and B signs A. There are keysigning protocols 
for this:
http://www.cryptnet.net/fdp/crypto/gpg-party.html

Signatures are not something to be minimised, a keyholder often invests 
considerable time and effort in collecting as many signatures as possible - 
every signature strengthens the key and the overall web of trust.

> > think it is signing.. i just tell to "trus" the other keys)   then... in

No, it's signing. Setting the trust comes afterwards - GnuPG will ignore any 
user trust setting until the key itself is trusted. (In the --edit-key 
output, trust is shown as two values).

> > the other pc... i have trusted the super key....  Do i need to sign the
> > other keys? 

Just sign the 'super' key. However, to make the web of trust stronger, as many 
users as possible should verify and sign each other's keys.

> > or when I sign the super key, I trust every single key the 
> > super key has signed?

Not necessarily, but you can set it that way. 
(There is no reason why any user MUST trust any key.)

> Basically, yes, if you define your model of trust to be that... But that
> is *your* decision. More on the Web of trust:
> http://en.wikipedia.org/wiki/Web_of_trust
>
> > 3) How do i set a key server where I can search for public keys?  like

Why create another one? Public keys are public and there's no harm in using a 
public keyserver - there is no security issue here, public keyservers are 
designed for public keys. Dump the windows mindset and embrace the community 
- share your public key as widely as possible, keep your private key 
absolutely private.

> > ... in mozilla-thunderbird... I can asign which is the key server to
> > search for the keys.... I want to add there MY server instead of the ones
> > of the list:

Why? You'd be surprised how limiting that could become. Someone in the keyring 
is almost certain to want to use the key to sign/encrypt outside the small 
group. Once users have their own keys (and passphrases), there's nothing to 
stop them signing and being signed by other keys. It should be encouraged - 
it strengthens the web of trust of the entire group.

> It seems most development happens (or used to happen) around PKS:
> http://sourceforge.net/projects/pks/

I thought it was SKS that was most up to date (subkeys etc.)?

-- 

Neil Williams
=============
http://www.codehelp.co.uk/
http://www.dclug.org.uk/
http://www.isbn.org.uk/
http://sourceforge.net/projects/isbnsearch/

http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20040802/29cb1b82/attachment-0001.bin


More information about the Gnupg-users mailing list