Digital Signing (Beat The Dead Horse) was Re: Free Software for m$

Randy Kaelber plug-discuss@lists.plug.phoenix.az.us
Wed, 25 Sep 2002 10:51:52 -0700


William Lindley wrote:
> 
> OK, I get a message.  It's signed.  How do I verify the authenticity of
> the signature?  Against what database?  If User X writes a message, sends
> it ostensibly from Derek, and signs it with a bogus key, how do I know
> that, unless I already have Derek's key... and in fact some huge database
> of keys somewhere... it sounds like a data management nightmare, how is
> everyone supposed to keep track of everyone else's keys???
> 
> Still not getting it,
> 

That's actually the largest challenge in crypto applications: key
management.  The theory for public key cryptography is thus:  You
generate a key pair, one is a public key, which you share far and wide
(put on keyservers, put up on your web page, whatever it takes), the
other one you keep to yourself.  But,  what keeps someone from
generating a key pair using my name?  Nothing at all.  That's where key
signing comes in, which begins the web of trust.  You generate a key
pair, send the the public key to a friend who knows you, and you get
together, call him up on the phone, or whatever you feel you need to do
to verify to him that the key is really yours.  He signs it with his
key, which is a way of saying "Yeah, I know that this 
key really belongs to this person."

Lather, rinse, repeat.  This is why key signing parties are good (bring
along a photo ID!).  Everyone there can sign everyone's keys, and when
you're done, you have more people vouching for your key.  

You can assign trust levels to signers: "I know Alice, and she's a GPG
Nazi and won't sign a key for someone until she gets photo ID and pulls
a TRW file on them to verify data. If she signs a key, I *know* it's
authentic.  That Bob guy?  He's kinda flaky.  I don't think he does a
good job of checking someone's bona fides.  Take his signature with a
grain of salt."

There are key servers on the net which you can use to get just about
anyone's public key (if they've published them).  Whenever you get a new
signature on yours, you should put the new key up there (if the person
who signed it hasn't beaten you to it).  The more signatures, the
better. 

-- 
Randy Kaelber                                       
Randy.Kaelber@asu.edu
Software Engineer  
Mars Space Flight Facility, Department of Geological Sciences
Arizona State University, Tempe, Arizona, USA