[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP keysigning in the Bay Area?

To: http://dummy.us.eu.org/robert (Robert)
Subject: Re: PGP keysigning in the Bay Area?
From: Joe Chou <http://www.cgl.ucsf.EDU/~jchou>
Date: Wed, 11 Dec 1996 06:57:46 -0800
In-Reply-To: <199612061645.http://www.blacklodge.c2.net/~IAA23219>

-----BEGIN PGP DECRYPTED BLOCK-----
-----BEGIN PGP DECRYPTED BLOCK-----
-----BEGIN PGP DECRYPTED BLOCK-----
-----BEGIN PGP DECRYPTED BLOCK-----
-----BEGIN PGP SIGNED MESSAGE-----BY SAFEMAIL-----

Hello,

Sorry I didn't reply for so long -- been a bit busy. You might want to get
hold of the PGP faq. It might make PGP's use of signatures, keyservers,
keysigning, whatnot a bit more clear.


>I was just told to sign my key.

Yes, you should always do this, because otherwise people can hack new
user ID's into your key. Even after you sign it, people can still hack
in new user ID's, but won't be able to sign it, making it obvious to
anyone who looks that the new user ID is untrustworthy.

Incidentally, your <http://dummy.us.eu.org/robert> user ID is NOT signed by you.


>I don't know why it matters at all since
>the keyserver key can get overwritten at any time by anybody.  But I can
>read this message so something must be right!

Not quite accurate. Anyone can resubmit your key, but it is *NEVER*
overwritten, only added to. It's kind of annoying, because if your
email address ever changes, you can't get rid of the old ID from the
keyservers. But, it prevents anyone from ever deleting your key. However,
as I mentioned above, people can hack in new user ID's, which is why you
should sign each user ID yourself.

And also by the way, I did NOT encrypt the last email I sent to you. I
tend not to encrypt email, even to people who use PGP, unless they
specifically request encrypted email. (A lot of people find it a chore
to decrypt.) You might have noticed that you didn't have to enter a
password to read the last email, or this one?


>Regardless, I don't know who I'd ask to get my key signed since I'm the
>only one I know who uses PGP (other than you, I suppose).

Probably, no one who signs responsibly would sign your key at present,
because there are only anonymous user ID's on your key right now. But,
if you ever generate another key or user ID with your identity imprinted
on it, you'd be much more likely to find willing signers.

(I recently finally got my key signed by someone besides me. We had been
corresponding by email, and I asked him to sign my key, if I could prove
to him who I was. We ended up snail-mailing to one another copies of
our drivers licenses with photo and signature, along with a PGP key
fingerprint. I wouldn't sign his key without proof that it was really him,
and he wouldn't sign mine unless I could prove that I was really Joe Chou.
This is what I mean when I say that signing a PGP public key is showing
your belief that a given user ID on a key really *belongs* to an actual
person.)


>Say, how come your address, http://www.cgl.ucsf.EDU/~jchou, doesn't have a key on
>pgp.ai.mit.edu?

The mailing systen is http://www.cgl/~jchou, but my email address is http://www.socrates./~jchou
If you searched with http://www.socrates.ucsf.edu/~jchou, you'd find me. Alternatively,
you can search by the key ID I include in my sig: 3FA76F7D (you actually
search using 0x3FA76F7D; I have no idea why "0x" is required).


>Also, what is this SAFEMAIL thing?  My PGP decrypter doesn't seem to deal
>with it (it didn't verify your signature).

You can't verify the signature on a message unless you have my public
key, which you seemed to suggest that you couldn't find at the MIT
keyserver.

If you *did* get my public key somehow, and the signature didn't verify,
please let me know. SafeMail is a new implementation of PGP for the Mac,
and it's still in beta testing. If the signature didn't verify because
of a bug, I should let them know.

(And even if you *did* get the key from a keyserver, and the signature
*did* verify, you shouldn't believe it really came from a guy named
"Joe Chou" unless you personally verified, perhaps over the phone, that
the key you got belonged to him. Or, if the key you got from the keyserver
was signed by someone you personally trust to responsibly sign keys. Do
you see the point of keysigning now?)

A lot of this would probably be a bit clearer if you read through the
PGP faq. It does a lot better at explaining things than I do. Let me know
if you want it, or what a pointer to it. And if you want to test your
system for decrypting, I can send you an encrypted copy of this email.


Regards,

Joe





-----BEGIN PGP SIGNATURE-----BY SAFEMAIL-----
Version: 1.0b5a e29

iQCVAwUBMq7L4wtQSc4/p299AQF9sAP+MblySMko09K71l/pYWw3iAEREQVQnKpZ
UxHJZ/3VrEYpHt7QuCduWY43/gdEwK4733txE30qvfyQ/JVyz1E6qn3HENnfSTGn
+KxbipHZ9Jah+MOEnI2qqICMeJvuJ1Lp5eLEq3ELabzq+K3FV/Kvf06VuHI8w0QD
8WmfA1dF7e0=
=Vqf/
-----END PGP SIGNATURE-----
-----END PGP DECRYPTED BLOCK-----
-----END PGP DECRYPTED BLOCK-----
-----END PGP DECRYPTED BLOCK-----
-----END PGP DECRYPTED BLOCK-----

| Joe Chou  <http://www.socrates.ucsf.edu/~jchou>
| http://devbio-mac1.ucsf.edu/joe.html
| Bargmann Lab, UCSF Department of Biochemistry
| PGP KeyID 0x3FA76F7D: at web page or public key servers
| PGP Fingerprint [004C 5A68 CC2F DA20 3999 3355 0E8D 7B3F]

Follow-Ups:
- Re: PGP keysigning in the Bay Area?
  - From: robert

Prev by Date: speaker needed for CPSR Berkeley
Next by Date: Re: January Visit
Previous by thread: Re: PGP keysigning in the Bay Area?
Next by thread: Re: PGP keysigning in the Bay Area?
Index(es):
- Date
- Thread