[ale] Commentary about PGP / GPG key generation...
Michael H. Warfield
mhw at WittsEnd.com
Wed Nov 30 10:06:09 EST 2011
On Tue, 2011-11-29 at 21:37 -0500, Jeremy T. Bouse wrote:
> Very good commentary... A few things I might add from my own experience...
> * Make sure if you have multiple UIDs for pseudonyms that at least one
> of them have the real name on the ID you intend to provide. I personally
> won't sign a key if there isn't a UID that matches the ID presented.
Funny you should mention that (and a very good point). We have one such
key on the submitted keyring already. I sent a message off to the
E-Mail address in the uids yesterday and I'm about to post a message to
the list querying as to who the real owner is. I suspect it's a "role"
key that is used for signing but is not expected to receive signatures
(but then it wouldn't actually need to be on the submitted keyring) but
we should confirm this before the keysigning.
Regards,
Mike
> * Make sure the email address you use for your UID is correct and
> doesn't block or do challenge/response. I mention this as I use an
> additional measure of sending the signed key back encrypted to the
> sender rather than uploading my signature back to the keyserver. This is
> to ensure possession of both the private key and the email address.
>
> * Be sure you've published your key to a keyserver. When I go to sign a
> key I pull it from the keyserver into a temporary keyring before
> signing. This ensures the key doesn't get into my actual public keyring
> until after it's signed and been sent to the keyserver by the keyholder.
> If a key doesn't exist on a keyserver than I don't end up pulling it
> down and my routines won't sign the key.
>
> On 11/29/2011 02:25 PM, Michael H. Warfield wrote:
> > Hello all!
> >
> > I see a number of people have generated brand new GPG keys for the up
> > and coming ALE Keysigning party. Great!
> >
> > Couple of comments (pun intended).
> >
> > * When creating your keys, you do not need to add a comment.
> >
> > * If you do add a comment, it becomes a permanent and visible part of
> > that uid, so you might want to make it meaningful in a permanent sort of
> > way.
> >
> > * If you delete a uid, you lose all the signatures on that uid.
> >
> > * Once a uid has appeared on the public keyservers, it's virtually
> > impossible to get rid of it due to the nature of the keyserver "flooding
> > algorithm" and uids as well as signatures are cumulative. Literally, if
> > you have ever sent your key to a keyserver with a uid that you later
> > delete, that deletion has no effect on the keyserver and the uid will be
> > later re-added to your local keyring if you ever receive signature
> > updates back from the keyservers (gpg --refresh or gpg --recv-keys) or
> > reimport the public key from someone who signed your key containing that
> > uid. Even if you managed to get a uid deleted from a keyserver, the
> > other keyservers would rapidly flood that uid back. Your only real
> > option is to revoke that uid and leave it in place (my old Compuserv uid
> > on my df1dd471 key is such an example).
> >
> > * If you're happy with the comment you have in your uid for your key,
> > that's cool. If you think you MIGHT want to change it, I would suggest
> > doing it well before the keysigning party. Once it's on the keyservers
> > (outside of our ring on BigLumber) it's there.
> >
> > If you decided you wish to change it, you have to edit the key like
> > this:
> >
> > gpg --edit-key {your keyid}
> >
> > It will display a list of keys and uids.
> >
> > Add a uid with "adduid" and fill in your name, E-Mail, and comment (if
> > any) just like you did when you generated the key to begin with. When
> > you accept that change, it will ask you for the password to your private
> > key.
> >
> > Now the list will show the new uid.
> >
> > To get rid of the old one, you have to select it by number like this:
> >
> > uid 1
> >
> > The list will show uid "1" with a splat (*) beside it. The deluid
> > command then deletes all the marked uids (you have to have at least one
> > left standing).
> >
> > Finally, BEFORE trying to upload the modified key to BigLumber, contact
> > me FIRST and I will delete the key and you can then re-upload it.
> >
> > Regards,
> > Mike
> >
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20111130/6dc0656e/attachment.bin
More information about the Ale
mailing list