On Wed, May 09, 2007 at 12:41:48PM -0700, Harold wrote: > I have been following the discussion about PGP and encryption. For me > the discussion raises almost as many questions as it supplies answers. > Someone suggested that you might pull the information together for a FAQ > posting. I would like to second the notion. > > > I would like to suggest that you might start with why would the average > user care about encrypting an e-mail message, and in particular a > message that will be posted on a publicly available bulletin board. How > big a problem are we dealing with here? I trimmed out a large part because it's just too much to quote... First, there are various ways to use cryptography, only one of which is actual encryption. The main usage that came up here is signing, which is verifying that a message came, unaltered, from a particular source. More on signing later... The big issue you raise is how to distribute keys, how to deal with expired keys, etc. This whole realm is known as key management, and it's arguably the hardest part to get right, and difficult to make it convenient. There are basically two ways in popular use for the internet at large (as opposed to internal company stuff). First, are the major key servers like pgp.mit.edu. I make a key and associate it with an email address, and upload it to the keyserver. Note that there's no assurance that I'm who I say I am. Second, some people meet in person and exchange and sign each others keys. The preferred method depends on your needs, and your paranoia. I have put my key on a keyserver, and I mentioned to someone the other night that the key there matching this email address was really me. That's more than good enough for most people for most uses. Now if he downloads my key, signs it, and uploads the result back to the keyserver I will have someone vouching for me. If several notables in PLUG have signed my key then you can probably trust that I am me (if you trust their keys). This is called a web of trust, and is meant to be a decentralized and open way, as opposed to getting a certificate authority to give you a signed key. As for why the common person needs to bother... most people don't, most of the time. Recently I emailed a username/password to someone, encrypted of course. Any other means would have been dreadfully inconvenient. It's good to sign official announcements. There are lots of uses. Some people sign all their email. It seems a bit excesive, but there's no harm in it. The part where you were talking about keys expiring every few minutes... well, in PGP/GPG it's not an encrypted link and it doesn't quite work like that. However, public-key methods are still much slower than symetric encryption. So usually a symetric "session" key is generated and encrypted with public-key, and then the session key is used to ecrypt the actual data. If you were using a link/tunnel to stream data, you could do the same, and renegotiate symetric session keys periodically using public-key encryption. Ok, I'm past the point where I should have just written this up... In my copious free time I'll details some steps for using gpg to generate, upload, sign, etc. Others here use Enigmail, so I'll leave that to them... -- Darrin Chandler | Phoenix BSD User Group | MetaBUG dwchandler@stilyagin.com | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation