HI everybody, While I was cleaning out my inbox e-mail folder, I ran across several e-mails from WLUG members which were digitally signed. I've recently upgraded to SuSE 9.0 and the 'new' version of KDE's Kmail flags these e-mails in bright yellow. Kmail is telling me that I don't have the senders public key available, and thus it isn't sure that the mail actually camed from the claimed sender. My question is this: how do I get someone's public key ? Further, that brings up another question in this space: 1) How do I know that the public key I'm given really belongs to the person giving it ? Short of receiving it in person, and assuming that the person isn't an imposter, I suppose I eventually have to limit my level of paranoia to some level of trust. :-) Thanks, Andy -- Andy Stewart, Founder Worcester Linux Users' Group Worcester, MA USA http://www.wlug.org
On Sun, 2003-11-23 at 14:00, Andy Stewart wrote:
HI everybody,
While I was cleaning out my inbox e-mail folder, I ran across several e-mails from WLUG members which were digitally signed. I've recently upgraded to SuSE 9.0 and the 'new' version of KDE's Kmail flags these e-mails in bright yellow. Kmail is telling me that I don't have the senders public key available, and thus it isn't sure that the mail actually camed from the claimed sender.
My question is this: how do I get someone's public key ?
There are public key servers that you can grab the keys from, assuming that the people uploaded the keys. The default config file for gnupg specifies a few commented out, so just uncomment one of them for use.
From there, you use "gpg --recv-key keyid" from the commandline to grab it.
You can also have the key e-mail to you, find it on a website, or any other number of ways that you get any time of file from someone.
Further, that brings up another question in this space:
1) How do I know that the public key I'm given really belongs to the person giving it ? Short of receiving it in person, and assuming that the person isn't an imposter, I suppose I eventually have to limit my level of paranoia to some level of trust. :-)
There are two main methods. Either verify the fingerprint of the key itself with the owner of the key in a situation where you know for a fact that it is the person. The other method is a web of trust. Basically, you verify someone's key and specify that you trust the key. Then, any key that they have verified and signed will be available to you as signed as well. Just be sure that the person you've chosen to trust is trustworthy security-wise. If they sign a key as legit that they did not verify, then you could have a bad key. the website for gpg has more information: http://www.gnupg.org/ -- Gregory Boyce <gboyce@badbelly.com>
I smell a topic for a WLUG meeting... :)
My question is this: how do I get someone's public key ?
There are public key servers that you can grab the keys from, assuming that the people uploaded the keys. The default config file for gnupg specifies a few commented out, so just uncomment one of them for use.
From there, you use "gpg --recv-key keyid" from the commandline to grab it.
You can also have the key e-mail to you, find it on a website, or any other number of ways that you get any time of file from someone.
On Monday 24 November 2003 8:43 am, mlong@datalong.com wrote:
I smell a topic for a WLUG meeting... :)
This is clearly not a topic on which I can speak. I'm soliciting volunteers who might like to address WLUG on this topic. Any takers for the January meeting? Later, Andy -- Andy Stewart, Founder Worcester Linux Users' Group Worcester, MA USA http://www.wlug.org
On Mon, Nov 24, 2003 at 09:32:38AM -0500, Andy Stewart wrote:
This is clearly not a topic on which I can speak. I'm soliciting volunteers who might like to address WLUG on this topic. Any takers for the January meeting?
My knowledge isn't such that I can speak about it at length either, but I have held some key signing "parties" (namely the 2 at LISA 2003) and wouldn't mind organizing one for a WLUG meeting. :) -- Randomly Generated Tagline: "My stereo's half fixed," said Tom monotonously.
On Sunday 23 November 2003 14:00, Andy Stewart wrote:
While I was cleaning out my inbox e-mail folder, I ran across several e-mails from WLUG members which were digitally signed. I've recently upgraded to SuSE 9.0 and the 'new' version of KDE's Kmail flags these e-mails in bright yellow. Kmail is telling me that I don't have the senders public key available, and thus it isn't sure that the mail actually camed from the claimed sender.
you're probably using one of the latest versions of kmail so pgp integration is a breeze (i think this started around 3.1 with the inclusion of the Ägypten Project) http://kmail.kde.org/ http://www.gnupg.org/aegypten/ a pretty good HOWTO that is generic to any distro: http://kmail.kde.org/kmail-pgpmime-howto.html for you Gentoo wh0res: http://www.gentoo.org/doc/en/gnupg-user.xml
My question is this: how do I get someone's public key ?
with kmail/gnupg it *can* be automagic ... otherwise you could just use the web interfaces keyservers (like the mit one) provide or the cmdline interface gnupg provides (it's harsh :D) here's some nice options i use in my ~/.gnupg/gpg.conf file: keyserver x-hkp://pgp.mit.edu keyserver-options auto-key-retrieve keyserver-options verbose keyserver-options verbose keyserver-options verbose
1) How do I know that the public key I'm given really belongs to the person giving it ? Short of receiving it in person, and assuming that the person isn't an imposter, I suppose I eventually have to limit my level of paranoia to some level of trust. :-)
you hit it exactly ... there is NO way of knowing for sure unless you meet the person in real life and swap each others keys right then and there (it's actually what a lot of developers do when they meet at places like Linuxworld ... it sets up the basic web of trust pgp is built on) ... but then again we dont all need that level of paranoia when talking with other random wlug users do we ? ;) -mike
My question is this: how do I get someone's public key ?
with kmail/gnupg it *can* be automagic ... otherwise you could just use the web interfaces keyservers (like the mit one) provide or the cmdline interface gnupg provides (it's harsh :D) here's some nice options i use in my ~/.gnupg/gpg.conf file: keyserver x-hkp://pgp.mit.edu keyserver-options auto-key-retrieve keyserver-options verbose keyserver-options verbose keyserver-options verbose There is a KDE front end, kgpg, which is a seperate app, but will be part of
On Monday 24 November 2003 10:12, Mike Frysinger wrote: the kdenetwork module in the kde3.2 release, sometime in february. It handles importing keys from a key server as well as other gpg functions through a GUI. http://devel-home.kde.org/~kgpg/ --brad
participants (6)
-
Andy Stewart -
brad noyes -
Gregory Boyce -
Mike Frysinger -
mlong@datalong.com -
Theo Van Dinter