[cs615asa] pgp extra credit

Jan Schaumann jschauma at cs.stevens.edu
Sun May 1 17:02:41 EDT 2011 

Hello,

I have just sent out the grades for the pgp extra credit assignment.  If
you had submitted something but did not receive a grade, please contact
me asap.

It seems to me that the majority of you have not fully understood the
concept of signing somebody else's key and the steps involved in
verifying that the key actually belongs to that person.  What you need
to do in order to verify that a key belongs to somebody else is:

- have proof that the person in question is who they say they are
- have proof that they are in control of the private key matching the
  public key
- have proof that they are in control of the email address associated
  with the key in question
- have proof that the public key you have is identical to the public key
  that matches their private key

The first step usually requires some sort of ID cards and thus in most
cases a face-to-face meeting.  Emailing somebody and asking them to
"verify" that whatever fingerprint you have is theirs is entirely
meaningless, as you have no assurance that whoever happens to respond to
your mail is the person you think you're communicating with (remember
our class on SMTP for details on why you have no such assurance
whatsoever).

The second step requires you to encrypt some content with the public key
and require the person to decrypt it.

The third step requires you to send mail to the address in question and
get an appropriate response.  Due to the "no assurance whatsoever" issue
noted above, this is normally combined with the second step (which then
yields assurance).

The fourth step requires the other party to provide to you the
fingerprint (after or together with proof of identity).

Finally, your signature on somebody else's key is only visible on the
now modified key in your keyring.  If you wish to have anybody else take
advantage of (or even merely see) your signature, you need to upload the
modified key to a keyserver (or, more commonly, return the signed key to
the other party who may then choose to publish it).

Anyway, I hope you learned at least some of the basics and will continue
to use PGP.

-Jan

More information about the cs615asa mailing list