signing documents and others

John Clizbe John at Mozilla-Enigmail.org
Sat Sep 27 06:03:22 CEST 2008


Lawrence Chin wrote:
> After being too busy, I'm back with questions and questions....
> 
> I'm using openoffice.org writer. I don't know how many of you are
> familiar with it. My first question is:
> 
> (1) I notice that openoffice writer allows you to digitally sign the
> document created. But I already noticed that I can sign and encrypt any
> document I have created with GPGEE's context menu. Are the two really
> the same thing?

Sort of. OpenOffice (Acrobat, and other applications) use X.509 certificates to
sign.  GPGEE's contect menu uses OpenPGP keys as I recall. The two are similar
in mechanics but are not interoperable.

> (2) In the "help" file of openoffice.org, it says:
> 
> "When you receive a signed document, and the software reports that the
> signature is valid, this does not mean that you can be absolutely sure
> that the document is the same [as] that [which] the sender has sent.
*snip*

A signature verifies that the file received is the same as the file that was
signed. Whether or not, the sender actually did the signing or sent that exact
file is another discussion.

> I have very little idea even til now as to what exactly certificate
> does. I suppose I get a certificate with CaCert to validate my identity
> and then get them to sign my keys? 

Free certificates are available from Thawte (even though they were bought by
VeriSlime); as well as CACert and TC TrustCenter GmbH.

http://www.thawte.com/secure-email/personal-email-certificates/index.html
http://www.cacert.org/
http://www.trustcenter.de/en/products/tc_internet_id.htm

Thawte and CACert have programs in place to create a network of assurers who can
verify identity beyond the basic Class 1 level.

> But what's the "Windows system of validating a signature"? (I use Vista and
> IE) On the "Certificates" windows in the "internet options" in my IE 7
> browser, I saw that there are a lot of certificates of big companies listed
> in "trusted root certificate authorities" and "intermediate certification
> authorities", but none in "other people" and "personal". I suppose if I can
> get a x.509 through CaCert, then I would put that x.509 in "personal"? Is
> that right?

The Windows "system" of validating a signature is the same as the Browser's -
it's defined by the standard. Yes, the new cert's will go into "Personal" as you
will have the secret key to enable your t sign things.

> I got more questions.
> 
> (3) To tell you guys the truth, I don't even know where my private keys
> and my key ring are stored in my computer. Do you guys know the possible
> file names and path?

See section #1 of the next question

> (4) And -- I know this question must have been asked 100 times already
> here, but I want to ask instead of spending the next 3 hours doing
> research -- how exactly to save my private keys onto like a USB drive or
> a CD?

everyone does this differently. Here's what I do.

1) Backup the keyring files.

You're on Windows, so your keyring files are located, by default, in
%APPDATA%\GnuPG. On english systems, APPDATA expands to
"C:\Documents and Settings\<username>\Application Data\". Copy al three *.gpg
files to your backup media (PCMCIA flash, USB, CF, SD, ZIP, etc...)
I use subdirectories for X.509 certs, GnuPG keys, and PGP key rings.

2) Export your keypair.

On Windows, I use GPGshell. Launch GPGkeys, select the key and choose Export
from the pull-down or context menu. You'll be prompted for a location to store
the public key, choose your backup location. Then you'll be asked if you wish to
export your secret key, click OK and again choose your backup location.
GPGshell will create armored keys with the name
"<your name> (<keyID>) pub.asc" and "<your name> (<keyID>) sec.asc"

3) make a backup of the backup on a *different* media type.

This is when I burn things to s credit card CD.

4) Securely store each backup in a *different* location.

> (5) How to add an additional UID to my kurt c key on the keyserver? I
> want to add my real name to it.

at a command prompt:

    gpg --edit-key 0xdecafbad adduid

Supply your Real Name, Email Address, and any Comment. If it looks fine, enter O
for Okay. You'll then be asked for your passphrase to generate a self-signature
for that ID.

gpg will then display a list of IDs on the key. If you wish the new UID to be
primary, enter its number to select it, then the command 'primary' followed byu
the command 'save'. Now update the keyserver copy:

    gpg --keyserver pool.sks-keyservers.net --send-key 0xdecafbad


> Thanks for helping out an idiot here.

Not an idiot at all. Quite decent questions.

-- 
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 679 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20080926/963b0d04/attachment.pgp>


More information about the Gnupg-users mailing list