Re: [clo-devel] Re: Please upload your public GPG key to common-lisp.net
Anthony Ventimiglia <anthony@ventimiglia.org> writes:
Sounds great, how will we handle signing of those of us that are already members ?
So far I have just asked that you upload your keys to your home directories. Once most/all have done that (only 25% or so have done this so far) I will send an encrypted/signed mail to your email account and expect you to decrypt and send it back to me. Not perfect but I can't think of a better way now that we are in this situation. Erik.
Erik Enge <eenge@prium.net> writes:
Anthony Ventimiglia <anthony@ventimiglia.org> writes:
Sounds great, how will we handle signing of those of us that are already members ?
So far I have just asked that you upload your keys to your home directories. Once most/all have done that (only 25% or so have done this so far) I will send an encrypted/signed mail to your email account and expect you to decrypt and send it back to me. Not perfect but I can't think of a better way now that we are in this situation.
I think we should point people to a place where they get information on exactly what they should do. As an example of someone quite ignorant of this, I propose myself :) I don't even know what I could ask google. What kind of keys are these, how do I get them, etc? I volunteer for writing such a page using the pointers you give me and the discussion that will probably follow. Regards, Mario.
Mario Mommer <mommer@igpm.rwth-aachen.de> writes:
I think we should point people to a place where they get information on exactly what they should do. As an example of someone quite ignorant of this, I propose myself :) I don't even know what I could ask google. What kind of keys are these, how do I get them, etc?
grab Gnu Privacy Guard from www.gnupg.org, download and build it. Then you need to create a key. Since this isn't an intro to gpg i'll just tell you what to do and not what you could do or what all the aptions mean. This command: $ gpg --gen-key will create a public/private key pair and add it to your keyring. 1) You'll want to create a DSA/Elgamal key which pair can be used for both signing and encrypting. 2) The key size should be at least 1024, I tend to use 2048 but that's just because I have an inferiority complex :). 3) Then you'll need to say when the key expires. I'd suggest to have it expire in the not too distant future, a year or two. Expired keys are still good for verifying signatures, and you'll use an expired key to sign your new key so changing keys isn't a big deal. 4) You'll need to specify the user id. The user id can not change (it is infact encoded in the key) and should represent who (and in what role) uses this key. As an example I have two keys, one is for me personally and has my name and my regular email address, another was created for the purpose of being a common-lisp.net developer, and has my name but uses the mbaringer@common-lisp.net email address. 5) now pick a pass phrase. This is the only real protection saving your private key once someone gets their hands on it. If someone gets your secret key and knows your pass phrase they can sign and encrypt as if they were you. chose something long (hard to brute force) with lower case letters, upper case letters, some numbers and punctuation chars. 6) now gpg will go around and collect entropy, when it's done you'll have in your key ring (located in ~/.gnupg) a freshly created, completly trusted, key. 7) export an ascii-armored copy of your public key with the command "gpg --armor --export <KEYID>" (you can get the KEYID from the listing of the keys in your key ring (either use the hexadecimal id or an email adresss if it's unique in your keyring)). Redirect the output of that command to a file and copy that file to your home directory on common-lisp.net. 8) Now go have look at the docs at gnupg.org from same good manuals, howtos, tutorials, etc. hope this helps. -- -Marco Ring the bells that still can ring. Forget your perfect offering. There is a crack in everything. That's how the light gets in. -Leonard Cohen
4) You'll need to specify the user id. The user id can not change (it is infact encoded in the key) and should represent who (and in what role) uses this key. As an example I have two keys, one is for me personally and has my name and my regular email address, another was created for the purpose of being a common-lisp.net developer, and has my name but uses the mbaringer@common-lisp.net email address.
That's not right, You can associate multiple ID's with a single key, there is no need to generate separate keys for different email addresses. ant@afghan cl-bayes $ gpg --list-keys /home/ant/.gnupg/pubring.gpg ---------------------------- pub 1024R/F302CA08 2003-05-28 Anthony Ventimglia <aventimiglia@common-lisp.net> uid Anthony Ventimiglia (Secondary Address) <aventi@optonline.net> uid Anthony Ventimiglia (New GPG Key) <anthony@ventimilgia.org> Once you create a key, you can edit that key and add as many UID's as you like. -- (incf *yankees-world-series-losses*)
Anthony Ventimiglia <anthony@ventimiglia.org> writes:
4) You'll need to specify the user id. The user id can not change (it is infact encoded in the key) and should represent who (and in what role) uses this key. As an example I have two keys, one is for me personally and has my name and my regular email address, another was created for the purpose of being a common-lisp.net developer, and has my name but uses the mbaringer@common-lisp.net email address.
That's not right, You can associate multiple ID's with a single key, there is no need to generate separate keys for different email addresses.
that's not quite what i meant. What i believe is that you should have one key for each "role" you act, work, personal/family, open source developer, porn star, etc. If stuff is signed with my work key that means one thing (mainly that I take "business" responsibility for what I'm saying), while stuff i'll sign with the mbaringer@common-lisp.net key is going to be for a very different public. but hey, that's just the way i see it. -- -Marco Ring the bells that still can ring. Forget your perfect offering. There is a crack in everything. That's how the light gets in. -Leonard Cohen
Marco Baringer writes:
Anthony Ventimiglia <anthony@ventimiglia.org> writes:
4) You'll need to specify the user id. The user id can not change (it is infact encoded in the key) and should represent who (and in what role) uses this key. As an example I have two keys, one is for me personally and has my name and my regular email address, another was created for the purpose of being a common-lisp.net developer, and has my name but uses the mbaringer@common-lisp.net email address.
That's not right, You can associate multiple ID's with a single key, there is no need to generate separate keys for different email addresses.
that's not quite what i meant. What i believe is that you should have one key for each "role" you act, work, personal/family, open source developer, porn star, etc.
If stuff is signed with my work key that means one thing (mainly that I take "business" responsibility for what I'm saying), while stuff i'll sign with the mbaringer@common-lisp.net key is going to be for a very different public. but hey, that's just the way i see it.
Well the way you worded it made it seem like the UID could not change, If we're planning on writing a text for folks who don't really know gpg/pgp, we have to keep that in mind. I understand your point, but I don't agree with it. If I trust you personally, I should trust you in your role at work, porn or whatever. Having multiple keys to me seems like it would lead to a hassle in key management, and ultimatley take away from the whole idea of the "Web of trust" we are aiming for. In practice, I don't think many people do it that way. Take Debian's model for example, in order to get onto the Debian Keyring, you need to physically meet with another Debian developer, show some form of ID and exchange public keys (this may not be the only way, I've been out of the Debian loop for a while). Now let's say the two of us meet, prove our identities to each other and exchange public keys for our common-lisp.net addresses. Now if we both have one key, I can be confident of who you are no matter what role you sign something in, be it work, personal or porn star fluffer. -- (incf *yankees-world-series-losses*)
Anthony Ventimiglia <anthony@ventimiglia.org> writes:
Well the way you worded it made it seem like the UID could not change, If we're planning on writing a text for folks who don't really know gpg/pgp, we have to keep that in mind.
It was worded poorly (it was actually wrong) and thank you for clarifying it. 4) You'll need to specify the user id. The user id should represent who uses this key. You'll need to provide a name, an email address and a coment. You can later add ather user ids if need be. However, I don't really want that text to be an introduction to gpg, all I was hoping to accomplish was to give enough info so that common-lisp.net developers could get a public key and know, a bit, about what they were doing instead of just providing a list of commands to run. I don't really think that is a worthy goal, gpg has excellent documentation in multiple languages and we shauld just point to that. As for as generating keys here's the relevant section of the gnu privacy handbook: http://www.gnupg.org/gph/en/manual.html#AEN26 -- -Marco Ring the bells that still can ring. Forget your perfect offering. There is a crack in everything. That's how the light gets in. -Leonard Cohen
participants (4)
-
Anthony Ventimiglia -
Erik Enge -
Marco Baringer -
Mario Mommer