gnupg_manual.html - webdump_tests - Testfiles for webdump
(HTM) git clone git://git.codemadness.org/webdump_tests
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
---
gnupg_manual.html (113892B)
---
1 <HTML
2 ><HEAD
3 ><TITLE
4 >The GNU Privacy Handbook</TITLE
5 ><META
6 NAME="GENERATOR"
7 CONTENT="Modular DocBook HTML Stylesheet Version 1.54"></HEAD
8 ><BODY
9 CLASS="BOOK"
10 BGCOLOR="#FFFFFF"
11 TEXT="#000000"
12 LINK="#0000FF"
13 VLINK="#840084"
14 ALINK="#0000FF"
15 ><DIV
16 CLASS="BOOK"
17 ><A
18 NAME="AEN1"
19 ></A
20 ><DIV
21 CLASS="TITLEPAGE"
22 ><H1
23 CLASS="TITLE"
24 ><A
25 NAME="AEN2"
26 >The GNU Privacy Handbook</A
27 ></H1
28 ><P
29 CLASS="COPYRIGHT"
30 >Copyright © 1999 by <SPAN
31 CLASS="HOLDER"
32 >The Free Software Foundation</SPAN
33 ></P
34 ><DIV
35 ><DIV
36 CLASS="ABSTRACT"
37 ><P
38 ></P
39 ><P
40 >Permission is granted to copy, distribute and/or modify this document
41 under the terms of the GNU Free Documentation License, Version 1.1
42 or any later version published by the Free Software Foundation;
43 with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
44 A copy of the license is included in the section entitled "GNU
45 Free Documentation License".</P
46 ><P
47 >Please direct questions, bug reports, or suggestions concerning
48 this manual to the maintainer, Mike Ashley (<TT
49 CLASS="EMAIL"
50 ><<A
51 HREF="mailto:jashley@acm.org"
52 >jashley@acm.org</A
53 >></TT
54 >).
55 When referring to the manual please specify which version of the manual
56 you have by using this version string: <TT
57 CLASS="LITERAL"
58 >$Name: v1_1 $</TT
59 >.</P
60 ><P
61 >Contributors to this manual include Matthew Copeland, Joergen Grahn,
62 and David A. Wheeler.
63 J Horacio MG has translated the manual to Spanish.</P
64 ><P
65 ></P
66 ></DIV
67 ></DIV
68 ><HR></DIV
69 ><DIV
70 CLASS="TOC"
71 ><DL
72 ><DT
73 ><B
74 >Table of Contents</B
75 ></DT
76 ><DT
77 >1. <A
78 HREF="#INTRO"
79 >Getting Started</A
80 ></DT
81 ><DD
82 ><DL
83 ><DT
84 ><A
85 HREF="#AEN26"
86 >Generating a new keypair</A
87 ></DT
88 ><DD
89 ><DL
90 ><DT
91 ><A
92 HREF="#REVOCATION"
93 >Generating a revocation certificate</A
94 ></DT
95 ></DL
96 ></DD
97 ><DT
98 ><A
99 HREF="#AEN57"
100 >Exchanging keys</A
101 ></DT
102 ><DD
103 ><DL
104 ><DT
105 ><A
106 HREF="#AEN65"
107 >Exporting a public key</A
108 ></DT
109 ><DT
110 ><A
111 HREF="#AEN84"
112 >Importing a public key</A
113 ></DT
114 ></DL
115 ></DD
116 ><DT
117 ><A
118 HREF="#AEN111"
119 >Encrypting and decrypting documents</A
120 ></DT
121 ><DT
122 ><A
123 HREF="#AEN136"
124 >Making and verifying signatures</A
125 ></DT
126 ><DD
127 ><DL
128 ><DT
129 ><A
130 HREF="#AEN153"
131 >Clearsigned documents</A
132 ></DT
133 ><DT
134 ><A
135 HREF="#AEN161"
136 >Detached signatures</A
137 ></DT
138 ></DL
139 ></DD
140 ></DL
141 ></DD
142 ><DT
143 >2. <A
144 HREF="#CONCEPTS"
145 >Concepts</A
146 ></DT
147 ><DD
148 ><DL
149 ><DT
150 ><A
151 HREF="#AEN185"
152 >Symmetric ciphers</A
153 ></DT
154 ><DT
155 ><A
156 HREF="#AEN196"
157 >Public-key ciphers</A
158 ></DT
159 ><DT
160 ><A
161 HREF="#AEN210"
162 >Hybrid ciphers</A
163 ></DT
164 ><DT
165 ><A
166 HREF="#AEN216"
167 >Digital signatures</A
168 ></DT
169 ></DL
170 ></DD
171 ><DT
172 >3. <A
173 HREF="#MANAGEMENT"
174 >Key Management</A
175 ></DT
176 ><DD
177 ><DL
178 ><DT
179 ><A
180 HREF="#AEN244"
181 >Managing your own keypair</A
182 ></DT
183 ><DD
184 ><DL
185 ><DT
186 ><A
187 HREF="#AEN267"
188 >Key integrity</A
189 ></DT
190 ><DT
191 ><A
192 HREF="#AEN282"
193 >Adding and deleting key components</A
194 ></DT
195 ><DT
196 ><A
197 HREF="#AEN305"
198 >Revoking key components</A
199 ></DT
200 ><DT
201 ><A
202 HREF="#AEN329"
203 >Updating a key's expiration time</A
204 ></DT
205 ></DL
206 ></DD
207 ><DT
208 ><A
209 HREF="#AEN335"
210 >Validating other keys on your public keyring</A
211 ></DT
212 ><DD
213 ><DL
214 ><DT
215 ><A
216 HREF="#AEN346"
217 >Trust in a key's owner</A
218 ></DT
219 ><DT
220 ><A
221 HREF="#AEN385"
222 >Using trust to validate keys</A
223 ></DT
224 ></DL
225 ></DD
226 ><DT
227 ><A
228 HREF="#AEN464"
229 >Distributing keys</A
230 ></DT
231 ></DL
232 ></DD
233 ><DT
234 >4. <A
235 HREF="#WISE"
236 >Daily use of GnuPG</A
237 ></DT
238 ><DD
239 ><DL
240 ><DT
241 ><A
242 HREF="#AEN494"
243 >Defining your security needs</A
244 ></DT
245 ><DD
246 ><DL
247 ><DT
248 ><A
249 HREF="#AEN508"
250 >Choosing a key size</A
251 ></DT
252 ><DT
253 ><A
254 HREF="#AEN513"
255 >Protecting your private key</A
256 ></DT
257 ><DT
258 ><A
259 HREF="#AEN526"
260 >Selecting expiration dates and using subkeys</A
261 ></DT
262 ><DT
263 ><A
264 HREF="#AEN533"
265 >Managing your web of trust</A
266 ></DT
267 ></DL
268 ></DD
269 ><DT
270 ><A
271 HREF="#AEN554"
272 >Building your web of trust</A
273 ></DT
274 ><DT
275 ><A
276 HREF="#AEN564"
277 >Using GnuPG legally</A
278 ></DT
279 ></DL
280 ></DD
281 ><DT
282 >5. <A
283 HREF="#MODULES"
284 >Topics</A
285 ></DT
286 ><DD
287 ><DL
288 ><DT
289 ><A
290 HREF="#AEN574"
291 >Writing user interfaces</A
292 ></DT
293 ></DL
294 ></DD
295 ><DT
296 >A. <A
297 HREF="#GFDL"
298 >GNU Free Documentation License</A
299 ></DT
300 ><DD
301 ><DL
302 ><DT
303 >0. <A
304 HREF="#AEN604"
305 >PREAMBLE</A
306 ></DT
307 ><DT
308 >1. <A
309 HREF="#AEN609"
310 >APPLICABILITY AND DEFINITIONS</A
311 ></DT
312 ><DT
313 >2. <A
314 HREF="#AEN619"
315 >VERBATIM COPYING</A
316 ></DT
317 ><DT
318 >3. <A
319 HREF="#AEN623"
320 >COPYING IN QUANTITY</A
321 ></DT
322 ><DT
323 >4. <A
324 HREF="#AEN629"
325 >MODIFICATIONS</A
326 ></DT
327 ><DT
328 >5. <A
329 HREF="#AEN665"
330 >COMBINING DOCUMENTS</A
331 ></DT
332 ><DT
333 >6. <A
334 HREF="#AEN670"
335 >COLLECTIONS OF DOCUMENTS</A
336 ></DT
337 ><DT
338 >7. <A
339 HREF="#AEN674"
340 >AGGREGATION WITH INDEPENDENT WORKS</A
341 ></DT
342 ><DT
343 >8. <A
344 HREF="#AEN678"
345 >TRANSLATION</A
346 ></DT
347 ><DT
348 >9. <A
349 HREF="#AEN681"
350 >TERMINATION</A
351 ></DT
352 ><DT
353 >10. <A
354 HREF="#AEN684"
355 >FUTURE REVISIONS OF THIS LICENSE</A
356 ></DT
357 ><DT
358 ><A
359 HREF="#AEN689"
360 >How to use this License for your documents</A
361 ></DT
362 ></DL
363 ></DD
364 ></DL
365 ></DIV
366 ><DIV
367 CLASS="LOT"
368 ><DL
369 CLASS="LOT"
370 ><DT
371 ><B
372 >List of Figures</B
373 ></DT
374 ><DT
375 >3-1. <A
376 HREF="#WOT-EXAMPLES"
377 >A hypothetical web of trust</A
378 ></DT
379 ></DL
380 ></DIV
381 ><DIV
382 CLASS="CHAPTER"
383 ><HR><H1
384 ><A
385 NAME="INTRO"
386 >Chapter 1. Getting Started</A
387 ></H1
388 ><P
389 >GnuPG is a tool for secure communication.
390 This chapter is a quick-start guide that covers the core functionality
391 of GnuPG.
392 This includes keypair creation, exchanging and verifying keys, encrypting
393 and decrypting documents, and authenticating documents with digital
394 signatures.
395 It does not explain in detail the concepts behind public-key cryptography,
396 encryption, and digital signatures.
397 This is covered in Chapter <A
398 HREF="#CONCEPTS"
399 >2</A
400 >.
401 It also does not explain how to use GnuPG wisely.
402 This is covered in Chapters <A
403 HREF="#MANAGEMENT"
404 >3</A
405 > and
406 <A
407 HREF="#WISE"
408 >4</A
409 >.</P
410 ><P
411 >GnuPG uses public-key cryptography so that users may communicate securely.
412 In a public-key system, each user has a pair of keys consisting of
413 a <I
414 CLASS="FIRSTTERM"
415 >private key</I
416 > and a <I
417 CLASS="FIRSTTERM"
418 >public key</I
419 >.
420 A user's private key is kept secret; it need never be revealed.
421 The public key may be given to anyone with whom the user wants to
422 communicate.
423 GnuPG uses a somewhat more sophisticated scheme in which a user has
424 a primary keypair and then zero or more additional subordinate keypairs.
425 The primary and subordinate keypairs are bundled to facilitate key
426 management and the bundle can often be considered simply as one keypair.</P
427 ><DIV
428 CLASS="SECT1"
429 ><HR><H1
430 CLASS="SECT1"
431 ><A
432 NAME="AEN26"
433 >Generating a new keypair</A
434 ></H1
435 ><P
436 >The command-line option <TT
437 CLASS="OPTION"
438 >--gen-key</TT
439 >
440 is used to create a new primary keypair.
441
442 <PRE
443 CLASS="SCREEN"
444 ><TT
445 CLASS="PROMPT"
446 >alice%</TT
447 > <TT
448 CLASS="USERINPUT"
449 ><B
450 >gpg --gen-key</B
451 ></TT
452 >
453 gpg (GnuPG) 0.9.4; Copyright (C) 1999 Free Software Foundation, Inc.
454 This program comes with ABSOLUTELY NO WARRANTY.
455 This is free software, and you are welcome to redistribute it
456 under certain conditions. See the file COPYING for details.
457
458 Please select what kind of key you want:
459 (1) DSA and ElGamal (default)
460 (2) DSA (sign only)
461 (4) ElGamal (sign and encrypt)
462 Your selection?</PRE
463 >
464
465
466 GnuPG is able to create several different types of keypairs, but a primary
467 key must be capable of making signatures.
468 There are therefore only three options.
469 Option 1 actually creates two keypairs.
470 A DSA keypair is the primary keypair usable only for making signatures.
471 An ElGamal subordinate keypair is also created for encryption.
472 Option 2 is similar but creates only a DSA keypair.
473 Option 4<A
474 NAME="AEN34"
475 HREF="#FTN.AEN34"
476 >[1]</A
477 > creates a single ElGamal
478 keypair usable for both making signatures and performing encryption.
479 In all cases it is possible to later add additional subkeys for encryption
480 and signing.
481 For most users the default option is fine.</P
482 ><P
483 >You must also choose a key size.
484 The size of a DSA key must be between 512 and 1024 bits, and an ElGamal
485 key may be of any size.
486 GnuPG, however, requires that keys be no smaller than 768 bits.
487 Therefore, if Option 1 was chosen and you choose a keysize larger than
488 1024 bits, the ElGamal key will have the requested size, but the DSA
489 key will be 1024 bits.
490
491 <PRE
492 CLASS="SCREEN"
493 >About to generate a new ELG-E keypair.
494 minimum keysize is 768 bits
495 default keysize is 1024 bits
496 highest suggested keysize is 2048 bits
497 What keysize do you want? (1024)</PRE
498 >
499
500 The longer the key the more secure it is against brute-force attacks,
501 but for almost all purposes the default keysize is adequate since
502 it would be cheaper to circumvent the encryption than try to break it.
503 Also, encryption and decryption will be slower as the
504 key size is increased, and a larger keysize may affect signature length.
505 Once selected, the keysize can never be changed.</P
506 ><P
507 >Finally, you must choose an expiration date.
508 If Option 1 was chosen, the expiration date will be used for both the
509 ElGamal and DSA keypairs.
510
511 <PRE
512 CLASS="SCREEN"
513 >Please specify how long the key should be valid.
514 0 = key does not expire
515 <n> = key expires in n days
516 <n>w = key expires in n weeks
517 <n>m = key expires in n months
518 <n>y = key expires in n years
519 Key is valid for? (0) </PRE
520 >
521
522 For most users a key that does not expire is adequate.
523 The expiration time should be chosen with care, however,
524 since although it is possible to change the expiration date after the key
525 is created, it may be difficult to communicate a change
526 to users who have your public key.</P
527 ><P
528 >You must provide a user ID in addition to the key parameters.
529 The user ID is used to associate the key being created with a real
530 person.
531
532 <PRE
533 CLASS="SCREEN"
534 >You need a User-ID to identify your key; the software constructs the user id
535 from Real Name, Comment and Email Address in this form:
536 "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
537
538 Real name: </PRE
539 >
540
541 Only one user ID is created when a key is created, but it is possible
542 to create additional user IDs if you want to use the key in two or
543 more contexts, e.g., as an employee at work and a political activist
544 on the side.
545 A user ID should be created carefully since it cannot be edited after
546 it is created.</P
547 ><P
548 >GnuPG needs a passphrase to protect the primary and subordinate
549 private keys that you keep in your possession.
550
551 <PRE
552 CLASS="SCREEN"
553 >You need a Passphrase to protect your private key.
554
555 Enter passphrase: </PRE
556 >
557
558 There is no limit on the length of a passphrase, and it should be
559 carefully chosen.
560 From the perspective of security, the passphrase to unlock the private
561 key is one of the weakest points in GnuPG (and other public-key
562 encryption systems as well) since it is the only protection you
563 have if another individual gets your private key.
564 Ideally, the passphrase should not use words from a dictionary and
565 should mix the case of alphabetic characters as well as use
566 non-alphabetic characters.
567 A good passphrase is crucial to the secure use of GnuPG.</P
568 ><DIV
569 CLASS="SECT2"
570 ><HR><H2
571 CLASS="SECT2"
572 ><A
573 NAME="REVOCATION"
574 >Generating a revocation certificate</A
575 ></H2
576 ><P
577 >After your keypair is created you should immediately generate a revocation
578 certificate for the primary public key using the option
579 <TT
580 CLASS="OPTION"
581 >--gen-revoke</TT
582 >.
583 If you forget your passphrase or if your private key is compromised
584 or lost, this revocation certificate may be published to notify others
585 that the public key should no longer be used.
586 A revoked public key can still be used to verify signatures made
587 by you in the past, but it cannot be used to encrypt future messages
588 to you.
589 It also does not affect your ability to decrypt messages sent to
590 you in the past if you still do have access to the private key.
591
592 <PRE
593 CLASS="SCREEN"
594 ><TT
595 CLASS="PROMPT"
596 >alice%</TT
597 > <TT
598 CLASS="USERINPUT"
599 ><B
600 >gpg --output revoke.asc --gen-revoke mykey</B
601 ></TT
602 >
603 [...]</PRE
604 >
605
606 The argument <TT
607 CLASS="USERINPUT"
608 ><B
609 >mykey</B
610 ></TT
611 > must be a <I
612 CLASS="EMPHASIS"
613 >key
614 specifier</I
615 >,
616 either the key ID of your primary keypair or any part of a user ID
617 that identifies your keypair.
618 The generated certificate will be left in the file
619 <TT
620 CLASS="PARAMETER"
621 ><I
622 >revoke.asc</I
623 ></TT
624 >.
625 If the <TT
626 CLASS="OPTION"
627 >--output</TT
628 > option is
629 omitted, the result will be placed on standard output.
630 Since the certificate is short, you may wish to print a hardcopy of
631 the certificate to store somewhere safe such as your safe deposit box.
632 The certificate should not be stored where others can access it since
633 anybody can publish the revocation certificate and render the
634 corresponding public key useless.</P
635 ></DIV
636 ></DIV
637 ><DIV
638 CLASS="SECT1"
639 ><HR><H1
640 CLASS="SECT1"
641 ><A
642 NAME="AEN57"
643 >Exchanging keys</A
644 ></H1
645 ><P
646 >To communicate with others you must exchange public keys.
647 To list the keys on your public keyring use the command-line
648 option <TT
649 CLASS="OPTION"
650 >--list-keys</TT
651 >.</P
652 ><PRE
653 CLASS="SCREEN"
654 ><TT
655 CLASS="PROMPT"
656 >alice%</TT
657 > <TT
658 CLASS="USERINPUT"
659 ><B
660 >gpg --list-keys</B
661 ></TT
662 >
663 /users/alice/.gnupg/pubring.gpg
664 ---------------------------------------
665 pub 1024D/BB7576AC 1999-06-04 Alice (Judge) <alice@cyb.org>
666 sub 1024g/78E9A8FA 1999-06-04</PRE
667 ><DIV
668 CLASS="SECT2"
669 ><HR><H2
670 CLASS="SECT2"
671 ><A
672 NAME="AEN65"
673 >Exporting a public key</A
674 ></H2
675 ><P
676 >To send your public key to a correspondent you must first export it.
677 The command-line option <TT
678 CLASS="OPTION"
679 >--export</TT
680 >
681 is used to do this.
682 It takes an additional argument identifying the public key to export.
683 As with the <TT
684 CLASS="OPTION"
685 >--gen-revoke</TT
686 > option, either the key ID or any part of
687 the user ID may be used to identify the key to export.</P
688 ><PRE
689 CLASS="SCREEN"
690 ><TT
691 CLASS="PROMPT"
692 >alice%</TT
693 > <TT
694 CLASS="USERINPUT"
695 ><B
696 >gpg --output alice.gpg --export alice@cyb.org</B
697 ></TT
698 ></PRE
699 ><P
700 >The key is exported in a binary format, but this can be inconvenient
701 when the key is to be sent though email or published on a web page.
702 GnuPG therefore supports a command-line option
703 <TT
704 CLASS="OPTION"
705 >--armor</TT
706 ><A
707 NAME="AEN77"
708 HREF="#FTN.AEN77"
709 >[2]</A
710 >
711 that
712 causes output to be generated in an ASCII-armored format similar to
713 uuencoded documents.
714 In general, any output from GnuPG, e.g., keys, encrypted documents, and
715 signatures, can be ASCII-armored by adding the <TT
716 CLASS="OPTION"
717 >--armor</TT
718 > option.</P
719 ><PRE
720 CLASS="SCREEN"
721 ><TT
722 CLASS="PROMPT"
723 >alice%</TT
724 > <TT
725 CLASS="USERINPUT"
726 ><B
727 >gpg --armor --export alice@cyb.org</B
728 ></TT
729 >
730 -----BEGIN PGP PUBLIC KEY BLOCK-----
731 Version: GnuPG v0.9.7 (GNU/Linux)
732 Comment: For info see http://www.gnupg.org
733
734 [...]
735 -----END PGP PUBLIC KEY BLOCK-----</PRE
736 ></DIV
737 ><DIV
738 CLASS="SECT2"
739 ><HR><H2
740 CLASS="SECT2"
741 ><A
742 NAME="AEN84"
743 >Importing a public key</A
744 ></H2
745 ><P
746 >A public key may be added to your public keyring with the
747 <TT
748 CLASS="OPTION"
749 >--import</TT
750 > option.</P
751 ><PRE
752 CLASS="SCREEN"
753 ><TT
754 CLASS="PROMPT"
755 >alice%</TT
756 > <TT
757 CLASS="USERINPUT"
758 ><B
759 >gpg --import blake.gpg</B
760 ></TT
761 >
762 gpg: key 9E98BC16: public key imported
763 gpg: Total number processed: 1
764 gpg: imported: 1
765 <TT
766 CLASS="PROMPT"
767 >alice%</TT
768 > <TT
769 CLASS="USERINPUT"
770 ><B
771 >gpg --list-keys</B
772 ></TT
773 >
774 /users/alice/.gnupg/pubring.gpg
775 ---------------------------------------
776 pub 1024D/BB7576AC 1999-06-04 Alice (Judge) <alice@cyb.org>
777 sub 1024g/78E9A8FA 1999-06-04
778
779 pub 1024D/9E98BC16 1999-06-04 Blake (Executioner) <blake@cyb.org>
780 sub 1024g/5C8CBD41 1999-06-04</PRE
781 ><P
782 >Once a key is imported it should be validated.
783 GnuPG uses a powerful and flexible trust model that does not require
784 you to personally validate each key you import.
785 Some keys may need to be personally validated, however.
786 A key is validated by verifying the key's fingerprint and then signing
787 the key to certify it as a valid key.
788 A key's fingerprint can be quickly viewed with the
789 <TT
790 CLASS="OPTION"
791 >--fingerprint</TT
792 >
793 command-line option, but in order to certify the key you must edit it.
794
795 <PRE
796 CLASS="SCREEN"
797 ><TT
798 CLASS="PROMPT"
799 >alice%</TT
800 > <TT
801 CLASS="USERINPUT"
802 ><B
803 >gpg --edit-key blake@cyb.org</B
804 ></TT
805 >
806
807 pub 1024D/9E98BC16 created: 1999-06-04 expires: never trust: -/q
808 sub 1024g/5C8CBD41 created: 1999-06-04 expires: never
809 (1) Blake (Executioner) <blake@cyb.org>
810
811 <TT
812 CLASS="PROMPT"
813 >Command></TT
814 > <TT
815 CLASS="USERINPUT"
816 ><B
817 >fpr</B
818 ></TT
819 >
820 pub 1024D/9E98BC16 1999-06-04 Blake (Executioner) <blake@cyb.org>
821 Fingerprint: 268F 448F CCD7 AF34 183E 52D8 9BDE 1A08 9E98 BC16</PRE
822 >
823
824 A key's fingerprint is verified with the key's owner.
825 This may be done in person or over the phone or through any other means
826 as long as you can guarantee that you are communicating with the key's
827 true owner.
828 If the fingerprint you get is the same as the fingerprint the key's
829 owner gets, then you can be sure that you have a correct copy of the key.</P
830 ><P
831 >After checking the fingerprint, you may sign the key to validate it.
832 Since key verification is a weak point in public-key cryptography,
833 you should be extremely careful and <I
834 CLASS="EMPHASIS"
835 >always</I
836 > check
837 a key's fingerprint with the owner before signing the key.</P
838 ><PRE
839 CLASS="SCREEN"
840 ><TT
841 CLASS="PROMPT"
842 >Command></TT
843 > <TT
844 CLASS="USERINPUT"
845 ><B
846 >sign</B
847 ></TT
848 >
849
850 pub 1024D/9E98BC16 created: 1999-06-04 expires: never trust: -/q
851 Fingerprint: 268F 448F CCD7 AF34 183E 52D8 9BDE 1A08 9E98 BC16
852
853 Blake (Executioner) <blake@cyb.org>
854
855 Are you really sure that you want to sign this key
856 with your key: "Alice (Judge) <alice@cyb.org>"
857
858 Really sign?</PRE
859 ><P
860 >Once signed you can check the key to list the signatures on it and
861 see the signature that you have added.
862 Every user ID on the key will have one or more self-signatures as well
863 as a signature for each user that has validated the key.</P
864 ><PRE
865 CLASS="SCREEN"
866 ><TT
867 CLASS="PROMPT"
868 >Command></TT
869 > <TT
870 CLASS="USERINPUT"
871 ><B
872 >check</B
873 ></TT
874 >
875 uid Blake (Executioner) <blake@cyb.org>
876 sig! 9E98BC16 1999-06-04 [self-signature]
877 sig! BB7576AC 1999-06-04 Alice (Judge) <alice@cyb.org></PRE
878 ></DIV
879 ></DIV
880 ><DIV
881 CLASS="SECT1"
882 ><HR><H1
883 CLASS="SECT1"
884 ><A
885 NAME="AEN111"
886 >Encrypting and decrypting documents</A
887 ></H1
888 ><P
889 >A public and private key each have a specific role when
890 encrypting and decrypting documents.
891 A public key may be thought of as an open safe.
892 When a correspondent encrypts a document using a public
893 key, that document is put in the safe, the safe shut, and the
894 combination lock spun several times.
895 The corresponding private key is the combination that can
896 reopen the safe and retrieve the document.
897 In other words, only the person who holds the private key
898 can recover a document encrypted using the associated public key.</P
899 ><P
900 >The procedure for encrypting and decrypting documents is
901 straightforward with this mental model.
902 If you want to encrypt a message to Alice, you encrypt it
903 using Alice's public key, and she decrypts it with her private key.
904 If Alice wants to send you a message, she encrypts it using your
905 public key, and you decrypt it with your private key.</P
906 ><P
907 >To encrypt a document the option
908 <TT
909 CLASS="OPTION"
910 >--encrypt</TT
911 > is used.
912 You must have the public keys of the intended recipients.
913 The software expects the name of the document to encrypt as input; if
914 omitted, it reads standard input.
915 The encrypted result is placed on standard output or as specified using
916 the option <TT
917 CLASS="OPTION"
918 >--output</TT
919 >.
920 The document is compressed for additional security in addition to
921 encrypting it.
922
923 <PRE
924 CLASS="SCREEN"
925 ><TT
926 CLASS="PROMPT"
927 >alice%</TT
928 > <TT
929 CLASS="USERINPUT"
930 ><B
931 >gpg --output doc.gpg --encrypt --recipient blake@cyb.org doc</B
932 ></TT
933 ></PRE
934 >
935
936 The <TT
937 CLASS="OPTION"
938 >--recipient</TT
939 > option
940 is used once for each recipient and takes an extra argument specifying
941 the public key to which the document should be encrypted.
942 The encrypted document can only be decrypted by someone with a private
943 key that complements one of the recipients' public keys.
944 In particular, you cannot decrypt a document encrypted by you unless
945 you included your own public key in the recipient list.</P
946 ><P
947 >To decrypt a message the option
948 <TT
949 CLASS="OPTION"
950 >--decrypt</TT
951 > is used.
952 You need the private key to which the message was encrypted.
953 Similar to the encryption process, the document to decrypt is
954 input, and the decrypted result is output.</P
955 ><PRE
956 CLASS="SCREEN"
957 ><TT
958 CLASS="PROMPT"
959 >blake%</TT
960 > <TT
961 CLASS="USERINPUT"
962 ><B
963 >gpg --output doc --decrypt doc.gpg</B
964 ></TT
965 >
966
967 You need a passphrase to unlock the secret key for
968 user: "Blake (Executioner) <blake@cyb.org>"
969 1024-bit ELG-E key, ID 5C8CBD41, created 1999-06-04 (main key ID 9E98BC16)
970
971 Enter passphrase: </PRE
972 ><P
973 >Documents may also be encrypted without using public-key cryptography.
974 Instead, you use a symmetric cipher to encrypt the document.
975 The key used to drive the symmetric cipher is derived from a passphrase
976 supplied when the document is encrypted, and for good security, it
977 should not be the same passphrase that you use to protect your private key.
978 Symmetric encryption is useful for securing documents when the
979 passphrase does not need to be communicated to others.
980 A document can be encrypted with a symmetric cipher by using the
981 <TT
982 CLASS="OPTION"
983 >--symmetric</TT
984 > option.</P
985 ><PRE
986 CLASS="SCREEN"
987 ><TT
988 CLASS="PROMPT"
989 >alice%</TT
990 > <TT
991 CLASS="USERINPUT"
992 ><B
993 >gpg --output doc.gpg --symmetric doc</B
994 ></TT
995 >
996 Enter passphrase: </PRE
997 ></DIV
998 ><DIV
999 CLASS="SECT1"
1000 ><HR><H1
1001 CLASS="SECT1"
1002 ><A
1003 NAME="AEN136"
1004 >Making and verifying signatures</A
1005 ></H1
1006 ><P
1007 >A digital signature certifies and timestamps a document.
1008 If the document is subsequently modified in any way, a verification
1009 of the signature will fail.
1010 A digital signature can serve the same purpose as a hand-written signature
1011 with the additional benefit of being tamper-resistant.
1012 The GnuPG source distribution, for example, is signed so that users can
1013 verify that the source code has not been modified since it was packaged.</P
1014 ><P
1015 >Creating and verifying signatures uses the public/private keypair
1016 in an operation different from encryption and decryption.
1017 A signature is created using the private key of the signer.
1018 The signature is verified using the corresponding public key.
1019 For example, Alice would use her own private key to digitally sign
1020 her latest submission to the Journal of Inorganic Chemistry.
1021 The associate editor handling her submission would use Alice's
1022 public key to check the signature to verify that the submission
1023 indeed came from Alice and that it had not been modified since Alice
1024 sent it.
1025 A consequence of using digital signatures is that it is difficult to
1026 deny that you made a digital signature since that would imply
1027 your private key had been compromised.</P
1028 ><P
1029 >The command-line option
1030 <TT
1031 CLASS="OPTION"
1032 >--sign</TT
1033 > is
1034 used to make a digital signature.
1035 The document to sign is input, and the signed document is output.
1036
1037 <PRE
1038 CLASS="SCREEN"
1039 ><TT
1040 CLASS="PROMPT"
1041 >alice%</TT
1042 > <TT
1043 CLASS="USERINPUT"
1044 ><B
1045 >gpg --output doc.sig --sign doc</B
1046 ></TT
1047 >
1048
1049 You need a passphrase to unlock the private key for
1050 user: "Alice (Judge) <alice@cyb.org>"
1051 1024-bit DSA key, ID BB7576AC, created 1999-06-04
1052
1053 Enter passphrase: </PRE
1054 >
1055
1056 The document is compressed before being signed, and the output is in binary
1057 format.</P
1058 ><P
1059 >Given a signed document, you can either check the signature or
1060 check the signature and recover the original document.
1061 To check the signature use the
1062 <TT
1063 CLASS="OPTION"
1064 >--verify</TT
1065 > option.
1066 To verify the signature and extract the document use the
1067 <TT
1068 CLASS="OPTION"
1069 >--decrypt</TT
1070 >
1071 option.
1072 The signed document to verify and recover is input and the recovered
1073 document is output.</P
1074 ><PRE
1075 CLASS="SCREEN"
1076 ><TT
1077 CLASS="PROMPT"
1078 >blake%</TT
1079 > <TT
1080 CLASS="USERINPUT"
1081 ><B
1082 >gpg --output doc --decrypt doc.sig</B
1083 ></TT
1084 >
1085 gpg: Signature made Fri Jun 4 12:02:38 1999 CDT using DSA key ID BB7576AC
1086 gpg: Good signature from "Alice (Judge) <alice@cyb.org>"</PRE
1087 ><DIV
1088 CLASS="SECT2"
1089 ><HR><H2
1090 CLASS="SECT2"
1091 ><A
1092 NAME="AEN153"
1093 >Clearsigned documents</A
1094 ></H2
1095 ><P
1096 >A common use of digital signatures is to sign usenet postings or
1097 email messages.
1098 In such situations it is undesirable to compress the document while
1099 signing it.
1100 The option
1101 <TT
1102 CLASS="OPTION"
1103 >--clearsign</TT
1104 >
1105 causes the document to be wrapped in an ASCII-armored signature but
1106 otherwise does not modify the document.</P
1107 ><PRE
1108 CLASS="SCREEN"
1109 ><TT
1110 CLASS="PROMPT"
1111 >alice%</TT
1112 > <TT
1113 CLASS="USERINPUT"
1114 ><B
1115 >gpg --clearsign doc</B
1116 ></TT
1117 >
1118
1119 You need a passphrase to unlock the secret key for
1120 user: "Alice (Judge) <alice@cyb.org>"
1121 1024-bit DSA key, ID BB7576AC, created 1999-06-04
1122
1123 -----BEGIN PGP SIGNED MESSAGE-----
1124 Hash: SHA1
1125
1126 [...]
1127 -----BEGIN PGP SIGNATURE-----
1128 Version: GnuPG v0.9.7 (GNU/Linux)
1129 Comment: For info see http://www.gnupg.org
1130
1131 iEYEARECAAYFAjdYCQoACgkQJ9S6ULt1dqz6IwCfQ7wP6i/i8HhbcOSKF4ELyQB1
1132 oCoAoOuqpRqEzr4kOkQqHRLE/b8/Rw2k
1133 =y6kj
1134 -----END PGP SIGNATURE-----</PRE
1135 ></DIV
1136 ><DIV
1137 CLASS="SECT2"
1138 ><HR><H2
1139 CLASS="SECT2"
1140 ><A
1141 NAME="AEN161"
1142 >Detached signatures</A
1143 ></H2
1144 ><P
1145 >A signed document has limited usefulness.
1146 Other users must recover the original document from the signed
1147 version, and even with clearsigned documents, the signed document
1148 must be edited to recover the original.
1149 Therefore, there is a third method for signing a document that
1150 creates a detached signature, which is a separate file.
1151 A detached signature is created using the
1152 <TT
1153 CLASS="OPTION"
1154 >--detach-sig</TT
1155 >
1156 option.</P
1157 ><PRE
1158 CLASS="SCREEN"
1159 ><TT
1160 CLASS="PROMPT"
1161 >alice%</TT
1162 > <TT
1163 CLASS="USERINPUT"
1164 ><B
1165 >gpg --output doc.sig --detach-sig doc</B
1166 ></TT
1167 >
1168
1169 You need a passphrase to unlock the secret key for
1170 user: "Alice (Judge) <alice@cyb.org>"
1171 1024-bit DSA key, ID BB7576AC, created 1999-06-04
1172
1173 Enter passphrase: </PRE
1174 ><P
1175 >Both the document and detached signature are needed to verify
1176 the signature.
1177 The <TT
1178 CLASS="OPTION"
1179 >--verify</TT
1180 > option can be to check the
1181 signature.</P
1182 ><PRE
1183 CLASS="SCREEN"
1184 ><TT
1185 CLASS="PROMPT"
1186 >blake%</TT
1187 > <TT
1188 CLASS="USERINPUT"
1189 ><B
1190 >gpg --verify doc.sig doc</B
1191 ></TT
1192 >
1193 gpg: Signature made Fri Jun 4 12:38:46 1999 CDT using DSA key ID BB7576AC
1194 gpg: Good signature from "Alice (Judge) <alice@cyb.org>"</PRE
1195 ></DIV
1196 ></DIV
1197 ></DIV
1198 ><DIV
1199 CLASS="CHAPTER"
1200 ><HR><H1
1201 ><A
1202 NAME="CONCEPTS"
1203 >Chapter 2. Concepts</A
1204 ></H1
1205 ><P
1206 >GnuPG makes uses of several cryptographic concepts including
1207 <I
1208 CLASS="FIRSTTERM"
1209 >symmetric ciphers</I
1210 >,
1211 <I
1212 CLASS="FIRSTTERM"
1213 >public-key ciphers</I
1214 >, and
1215 <I
1216 CLASS="FIRSTTERM"
1217 >one-way hashing</I
1218 >.
1219 You can make basic use GnuPG without fully understanding these concepts,
1220 but in order to use it wisely some understanding of them is necessary.</P
1221 ><P
1222 >This chapter introduces the basic cryptographic concepts used in GnuPG.
1223 Other books cover these topics in much more detail.
1224 A good book with which to pursue further study is
1225 <A
1226 HREF="http://www.counterpane.com/schneier.html"
1227 TARGET="_top"
1228 >Bruce
1229 Schneier</A
1230 >'s
1231 <A
1232 HREF="http://www.counterpane.com/applied.html"
1233 TARGET="_top"
1234 >``Applied
1235 Cryptography''</A
1236 >.</P
1237 ><DIV
1238 CLASS="SECT1"
1239 ><HR><H1
1240 CLASS="SECT1"
1241 ><A
1242 NAME="AEN185"
1243 >Symmetric ciphers</A
1244 ></H1
1245 ><P
1246 >A symmetric cipher is a cipher that uses the same key for both encryption
1247 and decryption.
1248 Two parties communicating using a symmetric cipher must agree on the
1249 key beforehand.
1250 Once they agree, the sender encrypts a message using the key, sends it
1251 to the receiver, and the receiver decrypts the message using the key.
1252 As an example, the German Enigma is a symmetric cipher, and daily keys
1253 were distributed as code books.
1254 Each day, a sending or receiving radio operator would consult his copy
1255 of the code book to find the day's key.
1256 Radio traffic for that day was then encrypted and decrypted using the
1257 day's key.
1258 Modern examples of symmetric ciphers include 3DES, Blowfish, and IDEA.</P
1259 ><P
1260 >A good cipher puts all the security in the key and none in the algorithm.
1261 In other words, it should be no help to an attacker if he knows which
1262 cipher is being used.
1263 Only if he obtains the key would knowledge of the algorithm be needed.
1264 The ciphers used in GnuPG have this property.</P
1265 ><P
1266 >Since all the security is in the key, then it is important that it be
1267 very difficult to guess the key.
1268 In other words, the set of possible keys, i.e., the <I
1269 CLASS="EMPHASIS"
1270 >key
1271 space</I
1272 >, needs
1273 to be large.
1274 While at Los Alamos, Richard Feynman was famous for his ability to
1275 crack safes.
1276 To encourage the mystique he even carried around a set of tools
1277 including an old stethoscope.
1278 In reality, he used a variety of tricks to reduce the number of
1279 combinations he had to try to a small number and then simply guessed
1280 until he found the right combination.
1281 In other words, he reduced the size of the key space.</P
1282 ><P
1283 >Britain used machines to guess keys during World War 2.
1284 The German Enigma had a very large key space, but the British built
1285 specialized computing engines, the Bombes, to mechanically try
1286 keys until the day's key was found.
1287 This meant that sometimes they found the day's key within hours of
1288 the new key's use, but it also meant that on some days they never
1289 did find the right key.
1290 The Bombes were not general-purpose computers but were precursors
1291 to modern-day computers.</P
1292 ><P
1293 >Today, computers can guess keys very quickly, and this is why key
1294 size is important in modern cryptosystems.
1295 The cipher DES uses a 56-bit key, which means that there are
1296 2<SUP
1297 >56</SUP
1298 > possible keys.
1299 2<SUP
1300 >56</SUP
1301 > is 72,057,594,037,927,936 keys.
1302 This is a lot of keys, but a general-purpose computer can check the
1303 entire key space in a matter of days.
1304 A specialized computer can check it in hours.
1305 On the other hand, more recently designed ciphers such as 3DES,
1306 Blowfish, and IDEA
1307 all use 128-bit keys, which means there are 2<SUP
1308 >128</SUP
1309 >
1310 possible keys.
1311 This is many, many more keys, and even if all the computers on the
1312 planet cooperated, it could still take more time than the age of
1313 the universe to find the key.</P
1314 ></DIV
1315 ><DIV
1316 CLASS="SECT1"
1317 ><HR><H1
1318 CLASS="SECT1"
1319 ><A
1320 NAME="AEN196"
1321 >Public-key ciphers</A
1322 ></H1
1323 ><P
1324 >The primary problem with symmetric ciphers is not their security but
1325 with key exchange.
1326 Once the sender and receiver have exchanged keys, that key can be
1327 used to securely communicate, but what secure communication channel
1328 was used to communicate the key itself?
1329 In particular, it would probably be much easier for an attacker to work
1330 to intercept the key than it is to try all the keys in the key space.
1331 Another problem is the number of keys needed.
1332 If there are <I
1333 CLASS="EMPHASIS"
1334 >n</I
1335 > people who need to communicate, then
1336 <I
1337 CLASS="EMPHASIS"
1338 >n(n-1)/2</I
1339 > keys
1340 are needed for each pair of people to communicate privately.
1341 This may be OK for a small number of people but quickly becomes unwieldy
1342 for large groups of people.</P
1343 ><P
1344 >Public-key ciphers were invented to avoid the key-exchange problem
1345 entirely.
1346 A public-key cipher uses a pair of keys for sending messages.
1347 The two keys belong to the person receiving the message.
1348 One key is a <I
1349 CLASS="EMPHASIS"
1350 >public key</I
1351 > and may be given to anybody.
1352 The other key is a <I
1353 CLASS="EMPHASIS"
1354 >private key</I
1355 > and is kept
1356 secret by the owner.
1357 A sender encrypts a message using the public key and once encrypted,
1358 only the private key may be used to decrypt it.</P
1359 ><P
1360 >This protocol solves the key-exchange problem inherent with symmetric
1361 ciphers.
1362 There is no need for the sender and receiver to agree
1363 upon a key.
1364 All that is required is that some time before secret communication the
1365 sender gets a copy of the receiver's public key.
1366 Furthermore, the one public key can be used by anybody wishing to
1367 communicate with the receiver.
1368 So only <I
1369 CLASS="EMPHASIS"
1370 >n</I
1371 > keypairs are needed for <I
1372 CLASS="EMPHASIS"
1373 >n</I
1374 >
1375 people to communicate secretly
1376 with one another.</P
1377 ><P
1378 >Public-key ciphers are based on one-way trapdoor functions.
1379 A one-way function is a function that is easy to compute,
1380 but the inverse is hard to compute.
1381 For example, it is easy to multiply two prime numbers together to get
1382 a composite, but it is difficult to factor a composite into its prime
1383 components.
1384 A one-way trapdoor function is similar, but it has a trapdoor.
1385 That is, if some piece of information is known, it becomes easy
1386 to compute the inverse.
1387 For example, if you have a number made of two prime factors, then knowing
1388 one of the factors makes it easy to compute the second.
1389 Given a public-key cipher based on prime factorization, the public
1390 key contains a composite number made from two large prime factors, and
1391 the encryption algorithm uses that composite to encrypt the
1392 message.
1393 The algorithm to decrypt the message requires knowing the prime factors,
1394 so decryption is easy if you have the private key containing one of the
1395 factors but extremely difficult if you do not have it.</P
1396 ><P
1397 >As with good symmetric ciphers, with a good public-key cipher all of the
1398 security rests with the key.
1399 Therefore, key size is a measure of the system's security, but
1400 one cannot compare the size of a symmetric cipher key and a public-key
1401 cipher key as a measure of their relative security.
1402 In a brute-force attack on a symmetric cipher with a key size of 80 bits,
1403 the attacker must enumerate up to 2<SUP
1404 >80</SUP
1405 > keys to
1406 find the right key.
1407 In a brute-force attack on a public-key cipher with a key size of 512 bits,
1408 the attacker must factor a composite number encoded in 512 bits (up to
1409 155 decimal digits).
1410 The workload for the attacker is fundamentally different depending on
1411 the cipher he is attacking.
1412 While 128 bits is sufficient for symmetric ciphers, given today's factoring
1413 technology public keys with 1024 bits are recommended for most purposes.</P
1414 ></DIV
1415 ><DIV
1416 CLASS="SECT1"
1417 ><HR><H1
1418 CLASS="SECT1"
1419 ><A
1420 NAME="AEN210"
1421 >Hybrid ciphers</A
1422 ></H1
1423 ><P
1424 >Public-key ciphers are no panacea.
1425 Many symmetric ciphers are stronger from a security standpoint,
1426 and public-key encryption and decryption are more expensive than the
1427 corresponding operations in symmetric systems.
1428 Public-key ciphers are nevertheless an effective tool for distributing
1429 symmetric cipher keys, and that is how they are used in hybrid cipher
1430 systems.</P
1431 ><P
1432 >A hybrid cipher uses both a symmetric cipher and a public-key cipher.
1433 It works by using a public-key cipher to share a key for the symmetric
1434 cipher.
1435 The actual message being sent is then encrypted using the key and sent
1436 to the recipient.
1437 Since symmetric key sharing is secure, the symmetric key used is different
1438 for each message sent.
1439 Hence it is sometimes called a session key.</P
1440 ><P
1441 >Both PGP and GnuPG use hybrid ciphers.
1442 The session key, encrypted using the public-key cipher, and the message
1443 being sent, encrypted with the symmetric cipher, are automatically
1444 combined in one package.
1445 The recipient uses his private-key to decrypt the session key and the
1446 session key is then used to decrypt the message.</P
1447 ><P
1448 >A hybrid cipher is no stronger than the public-key cipher or symmetric
1449 cipher it uses, whichever is weaker.
1450 In PGP and GnuPG, the public-key cipher is probably the weaker of
1451 the pair.
1452 Fortunately, however, if an attacker could decrypt a session key it
1453 would only be useful for reading the one message encrypted with that
1454 session key.
1455 The attacker would have to start over and decrypt another session
1456 key in order to read any other message.</P
1457 ></DIV
1458 ><DIV
1459 CLASS="SECT1"
1460 ><HR><H1
1461 CLASS="SECT1"
1462 ><A
1463 NAME="AEN216"
1464 >Digital signatures</A
1465 ></H1
1466 ><P
1467 >A hash function is a many-to-one function that maps its input to a
1468 value in a finite set.
1469 Typically this set is a range of natural numbers.
1470 A simple hash function is <I
1471 CLASS="EMPHASIS"
1472 >f</I
1473 >(<I
1474 CLASS="EMPHASIS"
1475 >x</I
1476 >) = 0
1477 for all integers <I
1478 CLASS="EMPHASIS"
1479 >x</I
1480 >.
1481 A more interesting hash function is
1482 <I
1483 CLASS="EMPHASIS"
1484 >f</I
1485 >(<I
1486 CLASS="EMPHASIS"
1487 >x</I
1488 >) = <I
1489 CLASS="EMPHASIS"
1490 >x</I
1491 >
1492 <I
1493 CLASS="EMPHASIS"
1494 >mod</I
1495 > 37, which
1496 maps <I
1497 CLASS="EMPHASIS"
1498 >x</I
1499 > to the remainder of dividing <I
1500 CLASS="EMPHASIS"
1501 >x</I
1502 > by 37.</P
1503 ><P
1504 >A document's digital signature is the result of applying a hash
1505 function to the document.
1506 To be useful, however, the hash function needs to satisfy two
1507 important properties.
1508 First, it should be hard to find two documents that hash to the
1509 same value.
1510 Second, given a hash value it should be hard to recover the document
1511 that produced that value.</P
1512 ><P
1513 >Some public-key ciphers<A
1514 NAME="AEN230"
1515 HREF="#FTN.AEN230"
1516 >[3]</A
1517 > could be used to sign documents.
1518 The signer encrypts the document with his <I
1519 CLASS="EMPHASIS"
1520 >private</I
1521 > key.
1522 Anybody wishing to check the signature and see the document simply
1523 uses the signer's public key to decrypt the document.
1524 This algorithm does satisfy the two properties needed from a good hash
1525 function, but in practice, this algorithm is too slow to be useful.</P
1526 ><P
1527 >An alternative is to use hash functions designed to satisfy these
1528 two important properties.
1529 SHA and MD5 are examples of such algorithms.
1530 Using such an algorithm, a document is signed by hashing it, and
1531 the hash value is the signature.
1532 Another person can check the signature by also hashing their copy of the
1533 document and comparing the hash value they get with the hash value of
1534 the original document.
1535 If they match, it is almost certain that the documents are identical.</P
1536 ><P
1537 >Of course, the problem now is using a hash function for digital
1538 signatures without permitting an attacker to interfere with signature
1539 checking.
1540 If the document and signature are sent unencrypted, an attacker could
1541 modify the document and generate a corresponding signature without the
1542 recipient's knowledge.
1543 If only the document is encrypted, an attacker could tamper with the
1544 signature and cause a signature check to fail.
1545 A third option is to use a hybrid public-key encryption to encrypt both
1546 the signature and document.
1547 The signer uses his private key, and anybody can use his public key
1548 to check the signature and document.
1549 This sounds good but is actually nonsense.
1550 If this algorithm truly secured the document it would also
1551 secure it from tampering and there would be no need for the signature.
1552 The more serious problem, however, is that this does not protect either
1553 the signature or document from tampering.
1554 With this algorithm, only the session key for the symmetric cipher
1555 is encrypted using the signer's private key.
1556 Anybody can use the public key to recover the session key.
1557 Therefore, it is straightforward for an attacker to recover the session
1558 key and use it to encrypt substitute documents and signatures to send
1559 to others in the sender's name.</P
1560 ><P
1561 >An algorithm that does work is to use a public key algorithm to
1562 encrypt only the signature.
1563 In particular, the hash value is encrypted using the signer's private
1564 key, and anybody can check the signature using the public key.
1565 The signed document can be sent using any other encryption algorithm
1566 including none if it is a public document.
1567 If the document is modified the signature check will fail, but this
1568 is precisely what the signature check is supposed to catch.
1569 The Digital Signature Standard (DSA) is a public key signature
1570 algorithm that works as just described.
1571 DSA is the primary signing algorithm used in GnuPG.</P
1572 ></DIV
1573 ></DIV
1574 ><DIV
1575 CLASS="CHAPTER"
1576 ><HR><H1
1577 ><A
1578 NAME="MANAGEMENT"
1579 >Chapter 3. Key Management</A
1580 ></H1
1581 ><P
1582 >Key tampering is a major security weakness with public-key cryptography.
1583 An eavesdropper may tamper with a user's keyrings or forge a
1584 user's public key and post it for others to download and use.
1585 For example, suppose Chloe wants to monitor the messages that Alice
1586 sends to Blake.
1587 She could mount what is called a <I
1588 CLASS="FIRSTTERM"
1589 >man in the
1590 middle</I
1591 > attack.
1592 In this attack, Chloe creates a new public/private keypair.
1593 She replaces Alice's copy of Blake's public key with the new public key.
1594 She then intercepts the messages that Alice sends to Blake.
1595 For each intercept, she decrypts it using the new private key, reencrypts
1596 it using Blake's true public key, and forwards the reencrypted
1597 message to Blake.
1598 All messages sent from Alice to Blake can now be read by Chloe.</P
1599 ><P
1600 >Good key management is crucial in order to ensure not just the integrity
1601 of your keyrings but the integrity of other users' keyrings as well.
1602 The core of key management in GnuPG is the notion of signing keys.
1603 Key signing has two main purposes: it permits you to detect tampering
1604 on your keyring, and it allows you to certify that a key truly belongs
1605 to the person named by a user ID on the key.
1606 Key signatures are also used in a scheme known as the <I
1607 CLASS="FIRSTTERM"
1608 >web of
1609 trust</I
1610 > to extend certification to keys not directly signed by you
1611 but signed by others you trust.
1612 Responsible users who practice good key management can defeat key
1613 tampering as a practical attack on secure communication with GnuPG.</P
1614 ><DIV
1615 CLASS="SECT1"
1616 ><HR><H1
1617 CLASS="SECT1"
1618 ><A
1619 NAME="AEN244"
1620 >Managing your own keypair</A
1621 ></H1
1622 ><P
1623 >A keypair has a public key and a private key.
1624 A public key consists of
1625 the public portion of the master signing key,
1626 the public portions of the subordinate signing and encryption subkeys, and
1627 a set of user IDs used to associate the public key with a real person.
1628 Each piece has data about itself.
1629 For a key, this data includes its ID, when it was created, when it
1630 will expire, etc.
1631 For a user ID, this data includes the name of the real person it identifies,
1632 an optional comment, and an email address.
1633 The structure of the private key is similar, except that it contains only
1634 the private portions of the keys, and there is no user ID information.</P
1635 ><P
1636 >The command-line option
1637 <TT
1638 CLASS="OPTION"
1639 >--edit-key</TT
1640 >
1641 may be used to view a keypair.
1642 For example,
1643
1644 <PRE
1645 CLASS="SCREEN"
1646 ><TT
1647 CLASS="PROMPT"
1648 >chloe%</TT
1649 > <TT
1650 CLASS="USERINPUT"
1651 ><B
1652 >gpg --edit-key chloe@cyb.org</B
1653 ></TT
1654 >
1655 Secret key is available.
1656
1657 pub 1024D/26B6AAE1 created: 1999-06-15 expires: never trust: -/u
1658 sub 2048g/0CF8CB7A created: 1999-06-15 expires: never
1659 sub 1792G/08224617 created: 1999-06-15 expires: 2002-06-14
1660 sub 960D/B1F423E7 created: 1999-06-15 expires: 2002-06-14
1661 (1) Chloe (Jester) <chloe@cyb.org>
1662 (2) Chloe (Plebian) <chloe@tel.net>
1663 <TT
1664 CLASS="PROMPT"
1665 >Command></TT
1666 ></PRE
1667 >
1668
1669 The public key is displayed along with an indication of whether
1670 or not the private key is available.
1671 Information about each component of the public key is then listed.
1672 The first column indicates the type of the key.
1673 The keyword <TT
1674 CLASS="LITERAL"
1675 >pub</TT
1676 > identifies the public master signing key,
1677 and the keyword <TT
1678 CLASS="LITERAL"
1679 >sub</TT
1680 > identifies a public subordinate key.
1681 The second column indicates the key's bit length, type, and ID.
1682 The type is <TT
1683 CLASS="LITERAL"
1684 >D</TT
1685 > for a DSA key, <TT
1686 CLASS="LITERAL"
1687 >g</TT
1688 > for an
1689 encryption-only
1690 ElGamal key, and <TT
1691 CLASS="LITERAL"
1692 >G</TT
1693 > for an ElGamal key that may be used for
1694 both encryption and signing.
1695 The creation date and expiration date are given in columns three and four.
1696 The user IDs are listed following the keys.</P
1697 ><P
1698 >More information about the key can be obtained with interactive commands.
1699 The command <B
1700 CLASS="COMMAND"
1701 >toggle</B
1702 >
1703 switches between the public and private
1704 components of a keypair if indeed both components are available.
1705
1706 <PRE
1707 CLASS="SCREEN"
1708 ><TT
1709 CLASS="PROMPT"
1710 >Command></TT
1711 > <TT
1712 CLASS="USERINPUT"
1713 ><B
1714 >toggle</B
1715 ></TT
1716 >
1717
1718 sec 1024D/26B6AAE1 created: 1999-06-15 expires: never
1719 sbb 2048g/0CF8CB7A created: 1999-06-15 expires: never
1720 sbb 1792G/08224617 created: 1999-06-15 expires: 2002-06-14
1721 sbb 960D/B1F423E7 created: 1999-06-15 expires: 2002-06-14
1722 (1) Chloe (Jester) <chloe@cyb.org>
1723 (2) Chloe (Plebian) <chloe@tel.net></PRE
1724 >
1725
1726 The information provided is similar to the listing for the public-key
1727 component.
1728 The keyword <TT
1729 CLASS="LITERAL"
1730 >sec</TT
1731 > identifies the private master signing key,
1732 and the keyword <TT
1733 CLASS="LITERAL"
1734 >sbb</TT
1735 > identifies the private subordinates keys.
1736 The user IDs from the public key are also listed for convenience.</P
1737 ><DIV
1738 CLASS="SECT2"
1739 ><HR><H2
1740 CLASS="SECT2"
1741 ><A
1742 NAME="AEN267"
1743 >Key integrity</A
1744 ></H2
1745 ><P
1746 >When you distribute your public key, you are distributing the public
1747 components of your master and subordinate keys as well as the user IDs.
1748 Distributing this material alone, however, is a security risk since
1749 it is possible for an attacker to tamper with the key.
1750 The public key can be modified by adding or substituting keys, or by
1751 adding or changing user IDs.
1752 By tampering with a user ID, the attacker could change the user ID's email
1753 address to have email redirected to himself.
1754 By changing one of the encryption keys, the attacker would
1755 also be able to decrypt the messages redirected to him.</P
1756 ><P
1757 >Using digital signatures is a solution to this problem.
1758 When data is signed by a private key, the corresponding public key
1759 is bound to the signed data.
1760 In other words, only the corresponding public key can be used to
1761 verify the signature and ensure that the data has not been modified.
1762 A public key can be protected from tampering by using its corresponding
1763 private master key to sign the public key components and user IDs, thus
1764 binding the components to the public master key.
1765 Signing public key components with the corresponding private master
1766 signing key is called <I
1767 CLASS="FIRSTTERM"
1768 >self-signing</I
1769 >, and a public key that has
1770 self-signed user IDs bound to it is called a <I
1771 CLASS="FIRSTTERM"
1772 >certificate</I
1773 >.</P
1774 ><P
1775 >As an example, Chloe has two user IDs and three subkeys.
1776 The signatures on the user IDs can be checked with the command
1777 <B
1778 CLASS="COMMAND"
1779 >check</B
1780 > from the key edit menu.
1781
1782 <PRE
1783 CLASS="SCREEN"
1784 ><TT
1785 CLASS="PROMPT"
1786 >chloe%</TT
1787 > <TT
1788 CLASS="USERINPUT"
1789 ><B
1790 >gpg --edit-key chloe</B
1791 ></TT
1792 >
1793 Secret key is available.
1794
1795 pub 1024D/26B6AAE1 created: 1999-06-15 expires: never trust: -/u
1796 sub 2048g/0CF8CB7A created: 1999-06-15 expires: never
1797 sub 1792G/08224617 created: 1999-06-15 expires: 2002-06-14
1798 sub 960D/B1F423E7 created: 1999-06-15 expires: 2002-06-14
1799 (1) Chloe (Jester) <chloe@cyb.org>
1800 (2) Chloe (Plebian) <chloe@tel.net>
1801
1802 <TT
1803 CLASS="PROMPT"
1804 >Command></TT
1805 > <TT
1806 CLASS="USERINPUT"
1807 ><B
1808 >check</B
1809 ></TT
1810 >
1811 uid Chloe (Jester) <chloe@cyb.org>
1812 sig! 26B6AAE1 1999-06-15 [self-signature]
1813 uid Chloe (Plebian) <chloe@tel.net>
1814 sig! 26B6AAE1 1999-06-15 [self-signature]</PRE
1815 >
1816
1817 As expected, the signing key for each signature is the master signing
1818 key with key ID <TT
1819 CLASS="LITERAL"
1820 >0x26B6AAE1</TT
1821 >.
1822 The self-signatures on the subkeys are present in the public key, but
1823 they are not shown by the GnuPG interface.</P
1824 ></DIV
1825 ><DIV
1826 CLASS="SECT2"
1827 ><HR><H2
1828 CLASS="SECT2"
1829 ><A
1830 NAME="AEN282"
1831 >Adding and deleting key components</A
1832 ></H2
1833 ><P
1834 >Both new subkeys and new user IDs may be added to your keypair after
1835 it has been created.
1836 A user ID is added using the command
1837 <B
1838 CLASS="COMMAND"
1839 >adduid</B
1840 >.
1841 You are prompted for a real name, email address, and comment just
1842 as when you create an initial keypair.
1843 A subkey is added using the command
1844 <B
1845 CLASS="COMMAND"
1846 >addkey</B
1847 >.
1848 The interface is similar to the interface used when creating an initial
1849 keypair.
1850 The subkey may be a DSA signing key, and encrypt-only ElGamal
1851 key, or a sign-and-encrypt ElGamal key.
1852 When a subkey or user ID is generated it is self-signed using your
1853 master signing key, which is why you must supply your passphrase
1854 when the key is generated.</P
1855 ><P
1856 >Additional user IDs are useful when you need multiple identities.
1857 For example, you may have an identity for your job and an identity
1858 for your work as a political activist.
1859 Coworkers will know you by your work user ID.
1860 Coactivists will know you by your activist user ID.
1861 Since those groups of people may not overlap, though, each group
1862 may not trust the other user ID.
1863 Both user IDs are therefore necessary.</P
1864 ><P
1865 >Additional subkeys are also useful.
1866 The user IDs associated with your public master key are validated by
1867 the people with whom you
1868 communicate, and changing the master key therefore requires recertification.
1869 This may be difficult and time consuming if you communicate with
1870 many people.
1871 On the other hand, it is good to periodically change encryption subkeys.
1872 If a key is broken, all the data encrypted with that key will be
1873 vulnerable.
1874 By changing keys, however, only the data encrypted with the one broken
1875 key will be revealed.</P
1876 ><P
1877 >Subkeys and user IDs may also be deleted.
1878 To delete a subkey or user ID you must first select it using the
1879 <B
1880 CLASS="COMMAND"
1881 >key</B
1882 > or
1883 <B
1884 CLASS="COMMAND"
1885 >uid</B
1886 > commands respectively.
1887 These commands are toggles.
1888 For example, the command <B
1889 CLASS="COMMAND"
1890 >key <TT
1891 CLASS="PARAMETER"
1892 ><I
1893 >2</I
1894 ></TT
1895 ></B
1896 >
1897 selects the second subkey,
1898 and invoking <B
1899 CLASS="COMMAND"
1900 >key <TT
1901 CLASS="PARAMETER"
1902 ><I
1903 >2</I
1904 ></TT
1905 ></B
1906 > again
1907 deselects it.
1908 If no extra argument is given, all subkeys or user IDs are deselected.
1909 Once the user IDs to be deleted are selected, the command
1910 <B
1911 CLASS="COMMAND"
1912 >deluid</B
1913 >
1914 actually deletes the user IDs from your key.
1915 Similarly, the command <B
1916 CLASS="COMMAND"
1917 >delkey</B
1918 >
1919 deletes all selected subkeys from both your public and private keys.</P
1920 ><P
1921 >For local keyring management, deleting key components is a good way
1922 to trim other people's public keys of unnecessary material.
1923 Deleting user IDs and subkeys on your own key, however, is not always
1924 wise since it complicates key distribution.
1925 By default, when a user imports your updated public key it will be merged
1926 with the old copy of your public key on his ring if it exists.
1927 The components from both keys are combined in the merge, and this
1928 effectively restores any components you deleted.
1929 To properly update the key, the user must first delete the old version
1930 of your key and then import the new version.
1931 This puts an extra burden on the people with whom you communicate.
1932 Furthermore, if you send your key to a keyserver, the merge will
1933 happen regardless, and anybody who downloads your key from a keyserver
1934 will never see your key with components deleted.
1935 Consequently, for updating your own key it is better to revoke key
1936 components instead of deleting them.</P
1937 ></DIV
1938 ><DIV
1939 CLASS="SECT2"
1940 ><HR><H2
1941 CLASS="SECT2"
1942 ><A
1943 NAME="AEN305"
1944 >Revoking key components</A
1945 ></H2
1946 ><P
1947 >To revoke a subkey it must be selected.
1948 Once selected it may be revoked with the
1949 <B
1950 CLASS="COMMAND"
1951 >revkey</B
1952 > command.
1953 The key is revoked by adding a revocation self-signature to the key.
1954 Unlike the command-line option <TT
1955 CLASS="OPTION"
1956 >--gen-revoke</TT
1957 >, the effect of
1958 revoking a subkey is immediate.</P
1959 ><PRE
1960 CLASS="SCREEN"
1961 ><TT
1962 CLASS="PROMPT"
1963 >Command></TT
1964 > <TT
1965 CLASS="USERINPUT"
1966 ><B
1967 >revkey</B
1968 ></TT
1969 >
1970 Do you really want to revoke this key? y
1971
1972 You need a passphrase to unlock the secret key for
1973 user: "Chloe (Jester) <chloe@cyb.org>"
1974 1024-bit DSA key, ID B87DBA93, created 1999-06-28
1975
1976
1977 pub 1024D/B87DBA93 created: 1999-06-28 expires: never trust: -/u
1978 sub 2048g/B7934539 created: 1999-06-28 expires: never
1979 sub 1792G/4E3160AD created: 1999-06-29 expires: 2000-06-28
1980 rev! subkey has been revoked: 1999-06-29
1981 sub 960D/E1F56448 created: 1999-06-29 expires: 2000-06-28
1982 (1) Chloe (Jester) <chloe@cyb.org>
1983 (2) Chloe (Plebian) <chloe@tel.net></PRE
1984 ><P
1985 >A user ID is revoked differently.
1986 Normally, a user ID collects signatures that attest that the user ID
1987 describes the person who actually owns the associated key.
1988 In theory, a user ID describes a person forever, since that person will
1989 never change.
1990 In practice, though, elements of the user ID such as the email address
1991 and comment may change over time, thus invalidating the user ID.</P
1992 ><P
1993 >The OpenPGP
1994
1995 specification does not support user ID revocation, but
1996 a user ID can effectively be revoked by revoking the self-signature
1997 on the user ID.
1998 For the security reasons described
1999 <A
2000 HREF="#AEN267"
2001 >previously</A
2002 >,
2003 correspondents will not trust a user ID with no valid self-signature.</P
2004 ><P
2005 >A signature is revoked by using the command
2006 <B
2007 CLASS="COMMAND"
2008 >revsig</B
2009 >.
2010 Since you may have signed any number of user IDs, the user interface
2011 prompts you to decide for each signature whether or not to revoke it.</P
2012 ><PRE
2013 CLASS="SCREEN"
2014 ><TT
2015 CLASS="PROMPT"
2016 >Command></TT
2017 > <TT
2018 CLASS="USERINPUT"
2019 ><B
2020 >revsig</B
2021 ></TT
2022 >
2023 You have signed these user IDs:
2024 Chloe (Jester) <chloe@cyb.org>
2025 signed by B87DBA93 at 1999-06-28
2026 Chloe (Plebian) <chloe@tel.net>
2027 signed by B87DBA93 at 1999-06-28
2028 user ID: "Chloe (Jester) <chloe@cyb.org>"
2029 signed with your key B87DBA93 at 1999-06-28
2030 Create a revocation certificate for this signature? (y/N)n
2031 user ID: "Chloe (Plebian) <chloe@tel.net>"
2032 signed with your key B87DBA93 at 1999-06-28
2033 Create a revocation certificate for this signature? (y/N)y
2034 You are about to revoke these signatures:
2035 Chloe (Plebian) <chloe@tel.net>
2036 signed by B87DBA93 at 1999-06-28
2037 Really create the revocation certificates? (y/N)y
2038
2039 You need a passphrase to unlock the secret key for
2040 user: "Chloe (Jester) <chloe@cyb.org>"
2041 1024-bit DSA key, ID B87DBA93, created 1999-06-28
2042
2043
2044 pub 1024D/B87DBA93 created: 1999-06-28 expires: never trust: -/u
2045 sub 2048g/B7934539 created: 1999-06-28 expires: never
2046 sub 1792G/4E3160AD created: 1999-06-29 expires: 2000-06-28
2047 rev! subkey has been revoked: 1999-06-29
2048 sub 960D/E1F56448 created: 1999-06-29 expires: 2000-06-28
2049 (1) Chloe (Jester) <chloe@cyb.org>
2050 (2) Chloe (Plebian) <chloe@tel.net></PRE
2051 ><P
2052 >A revoked user ID is indicated by the revocation signature on
2053 the ID when the signatures on the key's user IDs are listed.</P
2054 ><PRE
2055 CLASS="SCREEN"
2056 ><TT
2057 CLASS="PROMPT"
2058 >Command></TT
2059 > <TT
2060 CLASS="USERINPUT"
2061 ><B
2062 >check</B
2063 ></TT
2064 >
2065 uid Chloe (Jester) <chloe@cyb.org>
2066 sig! B87DBA93 1999-06-28 [self-signature]
2067 uid Chloe (Plebian) <chloe@tel.net>
2068 rev! B87DBA93 1999-06-29 [revocation]
2069 sig! B87DBA93 1999-06-28 [self-signature]</PRE
2070 ><P
2071 >Revoking both subkeys and self-signatures on user IDs adds revocation
2072 self-signatures to the key.
2073 Since signatures are being added and no material is deleted, a
2074 revocation will always be visible to others when your updated public
2075 key is distributed and merged with older copies of it.
2076 Revocation therefore guarantees that everybody has a consistent
2077 copy of your public key.</P
2078 ></DIV
2079 ><DIV
2080 CLASS="SECT2"
2081 ><HR><H2
2082 CLASS="SECT2"
2083 ><A
2084 NAME="AEN329"
2085 >Updating a key's expiration time</A
2086 ></H2
2087 ><P
2088 >The expiration time of a key may be updated with the command
2089 <B
2090 CLASS="COMMAND"
2091 >expire</B
2092 > from the key edit menu.
2093 If no key is selected the expiration time of the primary key
2094 is updated.
2095 Otherwise the expiration time of the selected subordinate key
2096 is updated.</P
2097 ><P
2098 >A key's expiration time is associated with the key's self-signature.
2099 The expiration time is updated by deleting the old self-signature
2100 and adding a new self-signature.
2101 Since correspondents will not have deleted the old self-signature, they
2102 will see an additional self-signature on the key when they update
2103 their copy of your key.
2104 The latest self-signature takes precedence, however, so all correspondents
2105 will unambiguously know the expiration times of your keys.</P
2106 ></DIV
2107 ></DIV
2108 ><DIV
2109 CLASS="SECT1"
2110 ><HR><H1
2111 CLASS="SECT1"
2112 ><A
2113 NAME="AEN335"
2114 >Validating other keys on your public keyring</A
2115 ></H1
2116 ><P
2117 >In Chapter <A
2118 HREF="#INTRO"
2119 >1</A
2120 > a procedure was given to validate your
2121 correspondents' public keys: a correspondent's key is validated by
2122 personally checking his key's fingerprint and then signing his public
2123 key with your private key.
2124 By personally checking the fingerprint you can be sure that the
2125 key really does belong to him, and since you have signed they key, you
2126 can be sure to detect any tampering with it in the future.
2127 Unfortunately, this procedure is awkward when either you must validate
2128 a large number of keys or communicate with people whom you do not
2129 know personally.</P
2130 ><P
2131 >GnuPG addresses this problem with a mechanism popularly known
2132 as the <I
2133 CLASS="FIRSTTERM"
2134 >web of trust</I
2135 >.
2136 In the web of trust model, responsibility for validating public
2137 keys is delegated to people you trust.
2138 For example, suppose
2139 <P
2140 ></P
2141 ><UL
2142 COMPACT="COMPACT"
2143 ><LI
2144 ><P
2145 >Alice has signed Blake's key, and</P
2146 ></LI
2147 ><LI
2148 ><P
2149 >Blake has signed Chloe's key and Dharma's key.</P
2150 ></LI
2151 ></UL
2152 >
2153
2154 If Alice trusts Blake to properly validate keys that he signs, then
2155 Alice can infer that Chloe's and Dharma's keys are valid without
2156 having to personally check them.
2157 She simply uses her validated copy of Blake's public key to
2158 check that Blake's signatures on Chloe's and Dharma's are good.
2159 In general, assuming that Alice fully trusts everybody to properly
2160 validate keys they sign, then any key signed by a valid key is also
2161 considered valid.
2162 The root is Alice's key, which is axiomatically assumed to be valid.</P
2163 ><DIV
2164 CLASS="SECT2"
2165 ><HR><H2
2166 CLASS="SECT2"
2167 ><A
2168 NAME="AEN346"
2169 >Trust in a key's owner</A
2170 ></H2
2171 ><P
2172 >In practice trust is subjective.
2173 For example, Blake's key is valid to Alice since she signed it, but she
2174 may not trust Blake to properly validate keys that he signs.
2175 In that case, she would not take Chloe's and Dharma's key as valid
2176 based on Blake's signatures alone.
2177 The web of trust model accounts for this by associating with each
2178 public key on your keyring an indication of how much you trust the
2179 key's owner.
2180 There are four trust levels.
2181
2182 <P
2183 ></P
2184 ><DIV
2185 CLASS="VARIABLELIST"
2186 ><DL
2187 ><DT
2188 >unknown</DT
2189 ><DD
2190 ><P
2191 >Nothing is known about the owner's judgment in key signing.
2192 Keys on your public keyring that you do not own initially have
2193 this trust level.</P
2194 ></DD
2195 ><DT
2196 >none</DT
2197 ><DD
2198 ><P
2199 >The owner is known to improperly sign other keys.</P
2200 ></DD
2201 ><DT
2202 >marginal</DT
2203 ><DD
2204 ><P
2205 >The owner understands the implications of key signing and
2206 properly validates keys before signing them.</P
2207 ></DD
2208 ><DT
2209 >full</DT
2210 ><DD
2211 ><P
2212 >The owner has an excellent understanding of key signing,
2213 and his signature on a key would be as good as your own.</P
2214 ></DD
2215 ></DL
2216 ></DIV
2217 >
2218
2219 A key's trust level is something that you alone assign to the
2220 key, and it is considered private information.
2221 It is not packaged with the key when it is exported; it is even
2222 stored separately from your keyrings in a separate database.</P
2223 ><P
2224 >The GnuPG key editor may be used to adjust your trust in a key's owner.
2225 The command is <B
2226 CLASS="COMMAND"
2227 >trust</B
2228 >.
2229 In this example Alice edits her trust in Blake and then updates
2230 the trust database to recompute which keys are valid based on her new
2231 trust in Blake.
2232
2233 <PRE
2234 CLASS="SCREEN"
2235 ><TT
2236 CLASS="PROMPT"
2237 >alice%</TT
2238 > <TT
2239 CLASS="USERINPUT"
2240 ><B
2241 >gpg --edit-key blake</B
2242 ></TT
2243 >
2244
2245 pub 1024D/8B927C8A created: 1999-07-02 expires: never trust: q/f
2246 sub 1024g/C19EA233 created: 1999-07-02 expires: never
2247 (1) Blake (Executioner) <blake@cyb.org>
2248
2249 <TT
2250 CLASS="PROMPT"
2251 >Command></TT
2252 > <TT
2253 CLASS="USERINPUT"
2254 ><B
2255 >trust</B
2256 ></TT
2257 >
2258 pub 1024D/8B927C8A created: 1999-07-02 expires: never trust: q/f
2259 sub 1024g/C19EA233 created: 1999-07-02 expires: never
2260 (1) Blake (Executioner) <blake@cyb.org>
2261
2262 Please decide how far you trust this user to correctly
2263 verify other users' keys (by looking at passports,
2264 checking fingerprints from different sources...)?
2265
2266 1 = Don't know
2267 2 = I do NOT trust
2268 3 = I trust marginally
2269 4 = I trust fully
2270 s = please show me more information
2271 m = back to the main menu
2272
2273 <TT
2274 CLASS="PROMPT"
2275 >Your decision?</TT
2276 > <TT
2277 CLASS="USERINPUT"
2278 ><B
2279 >3</B
2280 ></TT
2281 >
2282
2283 pub 1024D/8B927C8A created: 1999-07-02 expires: never trust: m/f
2284 sub 1024g/C19EA233 created: 1999-07-02 expires: never
2285 (1) Blake (Executioner) <blake@cyb.org>
2286
2287 <TT
2288 CLASS="PROMPT"
2289 >Command></TT
2290 > <TT
2291 CLASS="USERINPUT"
2292 ><B
2293 >quit</B
2294 ></TT
2295 >
2296 [...]</PRE
2297 >
2298
2299 Trust in the key's owner and the key's validity are indicated to the
2300 right when the key is displayed.
2301 Trust in the owner is displayed first and the key's validity is
2302 second<A
2303 NAME="AEN378"
2304 HREF="#FTN.AEN378"
2305 >[4]</A
2306 >.
2307 The four trust/validity levels are abbreviated: unknown (<TT
2308 CLASS="LITERAL"
2309 >q</TT
2310 >),
2311 none (<TT
2312 CLASS="LITERAL"
2313 >n</TT
2314 >), marginal (<TT
2315 CLASS="LITERAL"
2316 >m</TT
2317 >), and
2318 full (<TT
2319 CLASS="LITERAL"
2320 >f</TT
2321 >).
2322 In this case, Blake's key is fully valid since Alice signed it herself.
2323 She initially has an unknown trust in Blake to properly sign other keys
2324 but decides to trust him marginally.</P
2325 ></DIV
2326 ><DIV
2327 CLASS="SECT2"
2328 ><HR><H2
2329 CLASS="SECT2"
2330 ><A
2331 NAME="AEN385"
2332 >Using trust to validate keys</A
2333 ></H2
2334 ><P
2335 >The web of trust allows a more elaborate algorithm to be used to
2336 validate a key.
2337 Formerly, a key was considered valid only if you signed it personally.
2338 A more flexible algorithm can now be used: a key <I
2339 CLASS="EMPHASIS"
2340 >K</I
2341 > is considered valid
2342 if it meets two conditions:
2343 <P
2344 ></P
2345 ><OL
2346 COMPACT="COMPACT"
2347 TYPE="1"
2348 ><LI
2349 ><P
2350 >it is signed by enough valid keys, meaning
2351 <P
2352 ></P
2353 ><UL
2354 COMPACT="COMPACT"
2355 ><LI
2356 ><P
2357 >you have signed it personally,</P
2358 ></LI
2359 ><LI
2360 ><P
2361 >it has been signed by one fully trusted key, or</P
2362 ></LI
2363 ><LI
2364 ><P
2365 >it has been signed by three marginally trusted keys; and</P
2366 ></LI
2367 ></UL
2368 ></P
2369 ></LI
2370 ><LI
2371 ><P
2372 >the path of signed keys leading from <I
2373 CLASS="EMPHASIS"
2374 >K</I
2375 > back
2376 to your own key is five steps or shorter.</P
2377 ></LI
2378 ></OL
2379 >
2380
2381 The path length, number of marginally trusted keys required, and number
2382 of fully trusted keys required may be adjusted.
2383 The numbers given above are the default values used by GnuPG.</P
2384 ><P
2385 ><A
2386 HREF="#WOT-EXAMPLES"
2387 >Figure 3-1</A
2388 > shows a web of trust rooted at Alice.
2389 The graph illustrates who has signed who's keys.
2390 The table shows which keys Alice considers valid based on her
2391 trust in the other members of the web.
2392
2393 This example assumes that two marginally-trusted keys or one
2394 fully-trusted key is needed to validate another key.
2395 The maximum path length is three.</P
2396 ><P
2397 >When computing valid keys in the example, Blake and Dharma's are
2398 always considered fully valid since they were signed directly
2399 by Alice.
2400 The validity of the other keys depends on trust.
2401 In the first case, Dharma is trusted fully, which implies
2402 that Chloe's and Francis's keys will be considered valid.
2403 In the second example, Blake and Dharma are trusted marginally.
2404 Since two marginally trusted keys are needed to fully validate a
2405 key, Chloe's key will be considered fully valid, but Francis's
2406 key will be considered only marginally valid.
2407 In the case where Chloe and Dharma are marginally trusted,
2408 Chloe's key will be marginally valid since Dharma's key is
2409 fully valid.
2410 Francis's key, however, will also be considered marginally
2411 valid since only a fully valid key can be used to validate
2412 other keys, and Dharma's key is the only fully valid key
2413 that has been used to sign Francis's key.
2414 When marginal trust in Blake is added, Chloe's key becomes
2415 fully valid and can then be used to fully validate Francis's
2416 key and marginally validate Elena's key.
2417 Lastly, when Blake, Chloe, and Elena are fully trusted, this is
2418 still insufficient to validate Geoff's key since the maximum
2419 certification path is three, but the path length from Geoff
2420 back to Alice is four.</P
2421 ><P
2422 >The web of trust model is a flexible approach to the problem of safe
2423 public key exchange.
2424 It permits you to tune GnuPG to reflect how you use it.
2425 At one extreme you may insist on multiple, short paths from your
2426 key to another key <I
2427 CLASS="EMPHASIS"
2428 >K</I
2429 > in order to trust it.
2430 On the other hand, you may be satisfied with longer paths and
2431 perhaps as little as one path from your key to the other
2432 key <I
2433 CLASS="EMPHASIS"
2434 >K</I
2435 >.
2436 Requiring multiple, short paths is a strong guarantee
2437 that <I
2438 CLASS="EMPHASIS"
2439 >K</I
2440 > belongs to whom your think it does.
2441 The price, of course, is that it is more difficult to validate keys
2442 since you must personally sign more keys than if you accepted fewer
2443 and longer paths.</P
2444 ><DIV
2445 CLASS="FIGURE"
2446 ><A
2447 NAME="WOT-EXAMPLES"
2448 ></A
2449 ><P
2450 ><B
2451 >Figure 3-1. A hypothetical web of trust</B
2452 ></P
2453 ><DIV
2454 CLASS="MEDIAOBJECT"
2455 ><P
2456 ><IMG
2457 SRC="signatures.jpg"
2458 ALT="A graph indicating who has signed who's key"
2459 ></IMG
2460 ></P
2461 ></DIV
2462 ><DIV
2463 CLASS="INFORMALTABLE"
2464 ><P
2465 ></P
2466 ><TABLE
2467 BORDER="1"
2468 CLASS="CALSTABLE"
2469 ><THEAD
2470 ><TR
2471 ><TH
2472 COLSPAN="2"
2473 ALIGN="CENTER"
2474 VALIGN="TOP"
2475 >trust</TH
2476 ><TH
2477 COLSPAN="2"
2478 ALIGN="CENTER"
2479 VALIGN="TOP"
2480 >validity</TH
2481 ></TR
2482 ><TR
2483 ><TH
2484 WIDTH="25%"
2485 ALIGN="CENTER"
2486 VALIGN="TOP"
2487 >marginal</TH
2488 ><TH
2489 WIDTH="25%"
2490 ALIGN="CENTER"
2491 VALIGN="TOP"
2492 >full</TH
2493 ><TH
2494 WIDTH="25%"
2495 ALIGN="CENTER"
2496 VALIGN="TOP"
2497 >marginal</TH
2498 ><TH
2499 WIDTH="25%"
2500 ALIGN="CENTER"
2501 VALIGN="TOP"
2502 >full</TH
2503 ></TR
2504 ></THEAD
2505 ><TBODY
2506 ><TR
2507 ><TD
2508 WIDTH="25%"
2509 ALIGN="LEFT"
2510 VALIGN="TOP"
2511 > </TD
2512 ><TD
2513 WIDTH="25%"
2514 ALIGN="LEFT"
2515 VALIGN="TOP"
2516 >Dharma</TD
2517 ><TD
2518 WIDTH="25%"
2519 ALIGN="LEFT"
2520 VALIGN="TOP"
2521 > </TD
2522 ><TD
2523 WIDTH="25%"
2524 ALIGN="LEFT"
2525 VALIGN="TOP"
2526 >Blake, Chloe, Dharma, Francis</TD
2527 ></TR
2528 ><TR
2529 ><TD
2530 WIDTH="25%"
2531 ALIGN="LEFT"
2532 VALIGN="TOP"
2533 >Blake, Dharma</TD
2534 ><TD
2535 WIDTH="25%"
2536 ALIGN="LEFT"
2537 VALIGN="TOP"
2538 > </TD
2539 ><TD
2540 WIDTH="25%"
2541 ALIGN="LEFT"
2542 VALIGN="TOP"
2543 >Francis</TD
2544 ><TD
2545 WIDTH="25%"
2546 ALIGN="LEFT"
2547 VALIGN="TOP"
2548 >Blake, Chloe, Dharma</TD
2549 ></TR
2550 ><TR
2551 ><TD
2552 WIDTH="25%"
2553 ALIGN="LEFT"
2554 VALIGN="TOP"
2555 >Chloe, Dharma</TD
2556 ><TD
2557 WIDTH="25%"
2558 ALIGN="LEFT"
2559 VALIGN="TOP"
2560 > </TD
2561 ><TD
2562 WIDTH="25%"
2563 ALIGN="LEFT"
2564 VALIGN="TOP"
2565 >Chloe, Francis</TD
2566 ><TD
2567 WIDTH="25%"
2568 ALIGN="LEFT"
2569 VALIGN="TOP"
2570 >Blake, Dharma</TD
2571 ></TR
2572 ><TR
2573 ><TD
2574 WIDTH="25%"
2575 ALIGN="LEFT"
2576 VALIGN="TOP"
2577 >Blake, Chloe, Dharma</TD
2578 ><TD
2579 WIDTH="25%"
2580 ALIGN="LEFT"
2581 VALIGN="TOP"
2582 > </TD
2583 ><TD
2584 WIDTH="25%"
2585 ALIGN="LEFT"
2586 VALIGN="TOP"
2587 >Elena</TD
2588 ><TD
2589 WIDTH="25%"
2590 ALIGN="LEFT"
2591 VALIGN="TOP"
2592 >Blake, Chloe, Dharma, Francis</TD
2593 ></TR
2594 ><TR
2595 ><TD
2596 WIDTH="25%"
2597 ALIGN="LEFT"
2598 VALIGN="TOP"
2599 > </TD
2600 ><TD
2601 WIDTH="25%"
2602 ALIGN="LEFT"
2603 VALIGN="TOP"
2604 >Blake, Chloe, Elena</TD
2605 ><TD
2606 WIDTH="25%"
2607 ALIGN="LEFT"
2608 VALIGN="TOP"
2609 > </TD
2610 ><TD
2611 WIDTH="25%"
2612 ALIGN="LEFT"
2613 VALIGN="TOP"
2614 >Blake, Chloe, Elena, Francis</TD
2615 ></TR
2616 ></TBODY
2617 ></TABLE
2618 ><P
2619 ></P
2620 ></DIV
2621 ></DIV
2622 ></DIV
2623 ></DIV
2624 ><DIV
2625 CLASS="SECT1"
2626 ><HR><H1
2627 CLASS="SECT1"
2628 ><A
2629 NAME="AEN464"
2630 >Distributing keys</A
2631 ></H1
2632 ><P
2633 >Ideally, you distribute your key by personally giving it to your
2634 correspondents.
2635 In practice, however, keys are often distributed by email or some
2636 other electronic communication medium.
2637 Distribution by email is good practice when you have only a few
2638 correspondents, and even if you have many correspondents, you can use
2639 an alternative means such as posting your public key on your World Wide
2640 Web homepage.
2641 This is unacceptable, however, if people who need your public key do
2642 not know where to find it on the Web.</P
2643 ><P
2644 >To solve this problem public key servers are used to collect
2645 and distribute public keys.
2646 A public key received by the server is either added to the server's
2647 database or merged with the existing key if already present.
2648 When a key request comes to the server, the server consults its
2649 database and returns the requested public key if found.</P
2650 ><P
2651 >A keyserver is also valuable when many people are frequently signing other
2652 people's keys.
2653 Without a keyserver, when Blake sign's Alice's key then Blake would send
2654 Alice a copy of her public key signed by him so that Alice could
2655 add the updated key to her ring as well as distribute it to all of her
2656 correspondents.
2657 Going through this effort fulfills Alice's and Blake's responsibility
2658 to the community at large in building tight webs of trust and thus
2659 improving the security of PGP.
2660 It is nevertheless a nuisance if key signing is frequent.</P
2661 ><P
2662 >Using a keyserver makes the process somewhat easier.
2663 When Blake signs Alice's key he sends the signed key to the key server.
2664 The key server adds Blake's signature to its copy of Alice's key.
2665 Individuals interested in updating their copy of Alice's key then consult
2666 the keyserver on their own initiative to retrieve the updated key.
2667 Alice need never be involved with distribution and can retrieve signatures
2668 on her key simply by querying a keyserver. </P
2669 ><P
2670 >One or more keys may be sent to a keyserver using the command-line
2671 option <TT
2672 CLASS="OPTION"
2673 >--send-keys</TT
2674 >.
2675 The option takes one or more key specifiers and sends the specified
2676 keys to the key server.
2677 The key server to which to send the keys is specified with the
2678 command-line option <TT
2679 CLASS="OPTION"
2680 >--keyserver</TT
2681 >.
2682 Similarly, the option
2683 <TT
2684 CLASS="OPTION"
2685 >--recv-keys</TT
2686 > is used
2687 to retrieve keys from a keyserver, but the option <TT
2688 CLASS="OPTION"
2689 >--recv-keys</TT
2690 >
2691 requires a key ID be used to specify the key.
2692 In the following example Alice updates her public key with new signatures
2693 from the keyserver <TT
2694 CLASS="PARAMETER"
2695 ><I
2696 >certserver.pgp.com</I
2697 ></TT
2698 > and then
2699 sends her copy of Blake's public key to the same keyserver to contribute
2700 any new signatures she may have added.
2701
2702 <PRE
2703 CLASS="SCREEN"
2704 ><TT
2705 CLASS="PROMPT"
2706 >alice%</TT
2707 > <TT
2708 CLASS="USERINPUT"
2709 ><B
2710 >gpg --keyserver certserver.pgp.com --recv-key 0xBB7576AC</B
2711 ></TT
2712 >
2713 gpg: requesting key BB7576AC from certserver.pgp.com ...
2714 gpg: key BB7576AC: 1 new signature
2715
2716 gpg: Total number processed: 1
2717 gpg: new signatures: 1
2718 <TT
2719 CLASS="PROMPT"
2720 >alice%</TT
2721 > <TT
2722 CLASS="USERINPUT"
2723 ><B
2724 >gpg --keyserver certserver.pgp.com --send-key blake@cyb.org</B
2725 ></TT
2726 >
2727 gpg: success sending to 'certserver.pgp.com' (status=200)</PRE
2728 >
2729
2730 There are several popular keyservers in use around the world.
2731 The major keyservers synchronize themselves, so it is fine to
2732 pick a keyserver close to you on the Internet and then use it
2733 regularly for sending and receiving keys.</P
2734 ></DIV
2735 ></DIV
2736 ><DIV
2737 CLASS="CHAPTER"
2738 ><HR><H1
2739 ><A
2740 NAME="WISE"
2741 >Chapter 4. Daily use of GnuPG</A
2742 ></H1
2743 ><P
2744 >GnuPG is a complex tool with technical, social, and legal issues
2745 surrounding it.
2746 Technically, it has been designed to be used in situations having
2747 drastically different security needs.
2748 This complicates key management.
2749 Socially, using GnuPG is not strictly a personal decision.
2750 To use GnuPG effectively both parties communicating must use it.
2751 Finally, as of 1999, laws regarding digital encryption, and in particular
2752 whether or not using GnuPG is legal, vary from country to country and
2753 is currently being debated by many national governments.</P
2754 ><P
2755 >This chapter addresses these issues.
2756 It gives practical advice on how to use GnuPG to meet your security needs.
2757 It also suggests ways to promote the use of GnuPG for secure
2758 communication between yourself and your colleagues when your colleagues
2759 are not currently using GnuPG.
2760 Finally, the legal status of GnuPG is outlined given the current status
2761 of encryption laws in the world.</P
2762 ><DIV
2763 CLASS="SECT1"
2764 ><HR><H1
2765 CLASS="SECT1"
2766 ><A
2767 NAME="AEN494"
2768 >Defining your security needs</A
2769 ></H1
2770 ><P
2771 >GnuPG is a tool you use to protect your privacy.
2772 Your privacy is protected if you can correspond with others without
2773 eavesdroppers reading those messages.</P
2774 ><P
2775 >How you should use GnuPG depends on the determination and resourcefulness
2776 of those who might want to read your encrypted messages.
2777 An eavesdropper may be an unscrupulous system administrator casually
2778 scanning your mail, it might be an industrial spy trying to collect
2779 your company's secrets, or it might be a law enforcement agency trying
2780 to prosecute you.
2781 Using GnuPG to protect against casual eavesdropping is going to be
2782 different than using GnuPG to protect against a determined adversary.
2783 Your goal, ultimately, is to make it more expensive to recover the
2784 unencrypted data than that data is worth.</P
2785 ><P
2786 >Customizing your use of GnuPG revolves around four issues:
2787 <P
2788 ></P
2789 ><UL
2790 COMPACT="COMPACT"
2791 ><LI
2792 ><P
2793 >choosing the key size of your public/private keypair,</P
2794 ></LI
2795 ><LI
2796 ><P
2797 >protecting your private key, </P
2798 ></LI
2799 ><LI
2800 ><P
2801 >selecting expiration dates and using subkeys, and</P
2802 ></LI
2803 ><LI
2804 ><P
2805 >managing your web of trust.</P
2806 ></LI
2807 ></UL
2808 >
2809
2810 A well-chosen key size protects you against brute-force attacks on
2811 encrypted messages.
2812 Protecting your private key prevents an attacker from simply using your
2813 private key to decrypt encrypted messages and sign messages in your name.
2814 Correctly managing your web of trust prevents attackers from masquerading
2815 as people with whom you communicate.
2816 Ultimately, addressing these issues with respect to your own security
2817 needs is how you balance the extra work required to use GnuPG with
2818 the privacy it gives you.</P
2819 ><DIV
2820 CLASS="SECT2"
2821 ><HR><H2
2822 CLASS="SECT2"
2823 ><A
2824 NAME="AEN508"
2825 >Choosing a key size</A
2826 ></H2
2827 ><P
2828 >Selecting a key size depends on the key.
2829 In OpenPGP, a public/private keypair usually has multiple keys.
2830 At the least it has a master signing key, and it probably has one or
2831 more additional subkeys for encryption.
2832 Using default key generation parameters with GnuPG, the master
2833 key will be a DSA key, and the subkeys will be ElGamal keys.</P
2834 ><P
2835 >DSA allows a key size up to 1024 bits.
2836 This is not especially good given today's factoring technology, but
2837 that is what the standard specifies.
2838 Without question, you should use 1024 bit DSA keys.</P
2839 ><P
2840 >ElGamal keys, on the other hand, may be of any size.
2841 Since GnuPG is a hybrid public-key system, the public key is used
2842 to encrypt a 128-bit session key, and the private key is used to
2843 decrypt it.
2844 Key size nevertheless affects encryption and decryption speed
2845 since the cost of these algorithms is exponential in the size of
2846 the key.
2847 Larger keys also take more time to generate and take more space
2848 to store.
2849 Ultimately, there are diminishing returns on the extra security
2850 a large key provides you.
2851 After all, if the key is large enough to resist a brute-force
2852 attack, an eavesdropper will merely switch to some other method for
2853 obtaining your plaintext data.
2854 Examples of other methods include robbing your home or office
2855 and mugging you.
2856 1024 bits is thus the recommended key size.
2857 If you genuinely need a larger key size then you probably already
2858 know this and should be consulting an expert in data security.</P
2859 ></DIV
2860 ><DIV
2861 CLASS="SECT2"
2862 ><HR><H2
2863 CLASS="SECT2"
2864 ><A
2865 NAME="AEN513"
2866 >Protecting your private key</A
2867 ></H2
2868 ><P
2869 >Protecting your private key is the most important job you have to
2870 use GnuPG correctly.
2871 If someone obtains your private key, then all data encrypted to
2872 the private key can be decrypted and signatures can be made in your name.
2873 If you lose your private key, then you will no longer be able to
2874 decrypt documents encrypted to you in the future or in the past,
2875 and you will not be able to make signatures.
2876 Losing sole possession of your private key is catastrophic.</P
2877 ><P
2878 >Regardless of how you use GnuPG you should store the public
2879 key's <A
2880 HREF="#REVOCATION"
2881 >revocation certificate</A
2882 >
2883 and a backup of your private key on write-protected media in a safe place.
2884 For example, you could burn them on a CD-ROM and store them in your
2885 safe deposit box at the bank in a sealed envelope.
2886 Alternatively, you could store them on a floppy and hide it in your
2887 house.
2888 Whatever you do, they should be put on media that is safe to store
2889 for as long as you expect to keep the key, and you should store
2890 them more carefully than the copy of your private key you use daily.</P
2891 ><P
2892 >To help safeguard your key, GnuPG does not store your raw
2893 private key on disk.
2894 Instead it encrypts it using a symmetric encryption algorithm.
2895 That is why you need a passphrase to access the key.
2896 Thus there are two barriers an attacker must cross to access your private
2897 key: (1) he must actually acquire the key, and (2) he must get past
2898 the encryption.</P
2899 ><P
2900 >Safely storing your private key is important, but there is a cost.
2901 Ideally, you would keep the private key on a removable, write-protected disk
2902 such as a floppy disk, and you would use it on a single-user machine
2903 not connected to a network.
2904 This may be inconvenient or impossible for you to do.
2905 For example, you may not own your own machine and must use a computer
2906 at work or school, or it may mean you have to physically disconnect
2907 your computer from your cable modem every time you want to use GnuPG.</P
2908 ><P
2909 >This does not mean you cannot or should not use GnuPG.
2910 It means only that you have decided that the data you are protecting is
2911 important enough to encrypt but not so important as to take extra
2912 steps to make the first barrier stronger.
2913 It is your choice.</P
2914 ><P
2915 >A good passphrase is absolutely critical when using GnuPG.
2916 Any attacker who gains access to your private key must bypass the
2917 encryption on the private key.
2918 Instead of brute-force guessing the key, an attacker will almost
2919 certainly instead try to guess the passphrase.</P
2920 ><P
2921 >The motivation for trying passphrases is that most people choose
2922 a passphrase that is easier to guess than a random 128-bit key.
2923 If the passphrase is a word, it is much cheaper to try all the
2924 words in the dictionaries of the world's languages.
2925 Even if the word is permuted, e.g., k3wldood, it is still easier
2926 to try dictionary words with a catalog of permutations.
2927 The same problem applies to quotations.
2928 In general, passphrases based on natural-language utterances
2929 are poor passphrases since there is little randomness and lots
2930 of redundancy in natural language.
2931 You should avoid natural language passphrases if you can.</P
2932 ><P
2933 >A good passphrase is one that you can remember but is hard for
2934 someone to guess.
2935 It should include characters from the whole range of printable characters
2936 on your keyboard.
2937 This includes uppercase alphabetics characters, numbers, and special
2938 characters such as <TT
2939 CLASS="LITERAL"
2940 >}</TT
2941 > and <TT
2942 CLASS="LITERAL"
2943 >|</TT
2944 >.
2945 Be creative and spend a little time considering your passphrase; a
2946 good choice is important to ensure your privacy.</P
2947 ></DIV
2948 ><DIV
2949 CLASS="SECT2"
2950 ><HR><H2
2951 CLASS="SECT2"
2952 ><A
2953 NAME="AEN526"
2954 >Selecting expiration dates and using subkeys</A
2955 ></H2
2956 ><P
2957 >By default, a DSA master signing key and an ElGamal encryption subkey
2958 are generated when you create a new keypair.
2959 This is convenient, because the roles of the two keys are different,
2960 and you may therefore want the keys to have different lifetimes.
2961 The master signing key is used to make digital signatures, and it
2962 also collects the signatures of others who have confirmed your
2963 identity.
2964 The encryption key is used only for decrypting encrypted documents
2965 sent to you.
2966 Typically, a digital signature has a long lifetime, e.g., forever, and
2967 you also do not want to lose the signatures on your key that you worked
2968 hard to collect.
2969 On the other hand, the encryption subkey may be changed periodically
2970 for extra security, since if an encryption key is broken, the
2971 attacker can read all documents encrypted to that key both in the
2972 future and from the past.</P
2973 ><P
2974 >It is almost always the case that you will not want the master
2975 key to expire.
2976 There are two reasons why you may choose an expiration date.
2977 First, you may intend for the key to have a limited lifetime.
2978 For example, it is being used for an event such as a political campaign
2979 and will no longer be useful after the campaign is over.
2980 Another reason is that if you lose control of the key and do not have a
2981 revocation certificate with which to revoke the key, having an expiration
2982 date on the master key ensures that the key will eventually fall into
2983 disuse.</P
2984 ><P
2985 >Changing encryption subkeys is straightforward but can
2986 be inconvenient.
2987 If you generate a new keypair with an expiration date on the
2988 subkey, that subkey will eventually expire.
2989 Shortly before the expiration you will add a new subkey and
2990 publish your updated public key.
2991 Once the subkey expires, those who wish to correspond with you
2992 must find your updated key since they will no longer be able
2993 to encrypt to the expired key.
2994 This may be inconvenient depending on how you distribute the key.
2995 Fortunately, however, no extra signatures are necessary since
2996 the new subkey will have been signed with your master signing
2997 key, which presumably has already been validated by your
2998 correspondents.</P
2999 ><P
3000 >The inconvenience may or may not be worth the extra security.
3001 Just as you can, an attacker can still read all documents encrypted to
3002 an expired subkey.
3003 Changing subkeys only protects future documents.
3004 In order to read documents encrypted to the new subkey, the
3005 attacker would need to mount a new attack using whatever
3006 techniques he used against you the first time.</P
3007 ><P
3008 >Finally, it only makes sense to have one valid encryption subkey on a
3009 keyring.
3010 There is no additional security gained by having two or more
3011 active subkeys.
3012 There may of course be any number of expired keys on a keyring
3013 so that documents encrypted in the past may still be decrypted,
3014 but only one subkey needs to be active at any given time.</P
3015 ></DIV
3016 ><DIV
3017 CLASS="SECT2"
3018 ><HR><H2
3019 CLASS="SECT2"
3020 ><A
3021 NAME="AEN533"
3022 >Managing your web of trust</A
3023 ></H2
3024 ><P
3025 >As with protecting your private key, managing your web of trust is
3026 another aspect of using GnuPG that requires balancing security against
3027 ease of use.
3028 If you are using GnuPG to protect against casual eavesdropping and
3029 forgeries then you can afford to be relatively trusting of other
3030 people's signatures.
3031 On the other hand, if you are concerned that there may be a determined
3032 attacker interested in invading your privacy, then
3033 you should be much less trusting of other signatures and spend more time
3034 personally verifying signatures.</P
3035 ><P
3036 >Regardless of your own security needs, though, you should
3037 <I
3038 CLASS="EMPHASIS"
3039 >always be careful</I
3040 > when signing other keys.
3041 It is selfish to sign a key with just enough confidence in the key's
3042 validity to satisfy your own security needs.
3043 Others, with more stringent security needs, may want to depend on
3044 your signature.
3045 If they cannot depend on you then that weakens the web of trust
3046 and makes it more difficult for all GnuPG users to communicate.
3047 Use the same care in signing keys that you would like others to use when
3048 you depend on their signatures.</P
3049 ><P
3050 >In practice, managing your web of trust reduces to assigning trust to
3051 others and tuning the options
3052 <TT
3053 CLASS="OPTION"
3054 >--marginals-needed</TT
3055 >
3056 and
3057 <TT
3058 CLASS="OPTION"
3059 >--completes-needed</TT
3060 >.
3061 Any key you personally sign will be considered valid, but except for small
3062 groups, it will not be practical to personally sign the key of every person
3063 with whom you communicate.
3064 You will therefore have to assign trust to others.</P
3065 ><P
3066 >It is probably wise to be accurate when assigning trust and then
3067 use the options to tune how careful GnuPG is with key validation.
3068 As a concrete example, you may fully trust a few close friends that
3069 you know are careful with key signing and then marginally
3070 trust all others on your keyring.
3071 From there, you may set <TT
3072 CLASS="OPTION"
3073 >--completes-needed</TT
3074 > to
3075 <TT
3076 CLASS="LITERAL"
3077 >1</TT
3078 > and <TT
3079 CLASS="OPTION"
3080 >--marginals-needed</TT
3081 > to
3082 <TT
3083 CLASS="LITERAL"
3084 >2</TT
3085 >.
3086 If you are more concerned with security you might choose values of
3087 <TT
3088 CLASS="LITERAL"
3089 >1</TT
3090 > and <TT
3091 CLASS="LITERAL"
3092 >3</TT
3093 > or <TT
3094 CLASS="LITERAL"
3095 >2</TT
3096 >
3097 and <TT
3098 CLASS="LITERAL"
3099 >3</TT
3100 > respectively.
3101 If you are less concerned with privacy attacks and just want some
3102 reasonable confidence about validity, set the values to <TT
3103 CLASS="LITERAL"
3104 >1</TT
3105 >
3106 and <TT
3107 CLASS="LITERAL"
3108 >1</TT
3109 >.
3110 In general, higher numbers for these options imply that more people
3111 would be needed to conspire against you in order to have a key validated
3112 that does not actually belong to the person whom you think it does.</P
3113 ></DIV
3114 ></DIV
3115 ><DIV
3116 CLASS="SECT1"
3117 ><HR><H1
3118 CLASS="SECT1"
3119 ><A
3120 NAME="AEN554"
3121 >Building your web of trust</A
3122 ></H1
3123 ><P
3124 >Wanting to use GnuPG yourself is not enough.
3125 In order to use to communicate securely with others you must have
3126 a web of trust.
3127 At first glance, however, building a web of trust is a daunting task.
3128 The people with whom you communicate need to use
3129 GnuPG<A
3130 NAME="AEN557"
3131 HREF="#FTN.AEN557"
3132 >[5]</A
3133 >, and there needs to be enough
3134 key signing so that keys can be considered valid.
3135 These are not technical problems; they are social problems.
3136 Nevertheless, you must overcome these problems if you want to
3137 use GnuPG.</P
3138 ><P
3139 >When getting started using GnuPG it is important to realize that you
3140 need not securely communicate with every one of your correspondents.
3141 Start with a small circle of people, perhaps just yourself and
3142 one or two others who also want to exercise their right
3143 to privacy.
3144 Generate your keys and sign each other's public keys.
3145 This is your initial web of trust.
3146 By doing this you will appreciate the value of a small, robust
3147 web of trust and will be more cautious as you grow your web
3148 in the future.</P
3149 ><P
3150 >In addition to those in your initial web of trust, you may want to
3151 communicate securely with others who are also using GnuPG.
3152 Doing so, however, can be awkward for two reasons:
3153 (1) you do not always know when someone uses or is willing to use
3154 GnuPG, and (2) if you do know of someone who uses it, you may still have
3155 trouble validating their key.
3156 The first reason occurs because people do not always advertise that
3157 they use GnuPG.
3158 The way to change this behavior is to set the example and advertise
3159 that you use GnuPG.
3160 There are at least three ways to do this: you can sign messages you mail
3161 to others or post to message boards, you can put your public key on your
3162 web page, or, if you put your key on a keyserver, you can put your key
3163 ID in your email signature.
3164 If you advertise your key then you make it that much more acceptable
3165 for others to advertise their keys.
3166 Furthermore, you make it easier for others to start communicating
3167 with you securely since you have taken the initiative and made it clear
3168 that you use GnuPG.</P
3169 ><P
3170 >Key validation is more difficult.
3171 If you do not personally know the person whose key you want to sign,
3172 then it is not possible to sign the key yourself.
3173 You must rely on the signatures of others and hope to find a chain
3174 of signatures leading from the key in question back to your own.
3175 To have any chance of finding a chain, you must take the initiative
3176 and get your key signed by others outside of your initial web of trust.
3177 An effective way to accomplish this is to participate in key
3178 signing parties.
3179 If you are going to a conference look ahead of time for a key
3180 signing party, and if you do not see one being held, offer to
3181 <A
3182 HREF="http://www.herrons.com/kb2nsx/keysign.html"
3183 TARGET="_top"
3184 >hold one</A
3185 >.
3186 You can also be more passive and carry your fingerprint with you
3187 for impromptu key exchanges.
3188 In such a situation the person to whom you gave the fingerprint
3189 would verify it and sign your public key once he returned home.</P
3190 ><P
3191 >Keep in mind, though, that this is optional.
3192 You have no obligation to either publicly advertise your key or
3193 sign other people's keys.
3194 The power of GnuPG is that it is flexible enough to adapt to your
3195 security needs whatever they may be.
3196 The social reality, however, is that you will need to take the initiative
3197 if you want to grow your web of trust and use GnuPG for as much of
3198 your communication as possible.</P
3199 ></DIV
3200 ><DIV
3201 CLASS="SECT1"
3202 ><HR><H1
3203 CLASS="SECT1"
3204 ><A
3205 NAME="AEN564"
3206 >Using GnuPG legally</A
3207 ></H1
3208 ><P
3209 >The legal status of encryption software varies from country to country,
3210 and law regarding encryption software is rapidly evolving.
3211 <A
3212 HREF="http://cwis.kub.nl/~frw/people/koops/bertjaap.htm"
3213 TARGET="_top"
3214 >Bert-Japp
3215 Koops</A
3216 > has an excellent
3217 <A
3218 HREF="http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm"
3219 TARGET="_top"
3220 >Crypto
3221 Law Survey</A
3222 > to which you should refer for the legal status of
3223 encryption software in your country.</P
3224 ></DIV
3225 ></DIV
3226 ><DIV
3227 CLASS="CHAPTER"
3228 ><HR><H1
3229 ><A
3230 NAME="MODULES"
3231 >Chapter 5. Topics</A
3232 ></H1
3233 ><P
3234 >This chapter covers miscellaneous topics that do not fit
3235 elsewhere in the user manual.
3236 As topics are added, they may be collected and factored into chapters
3237 that stand on their own.
3238 If you would like to see a particular topic covered, please suggest it.
3239 Even better, volunteer to write a first draft covering your suggested topic!</P
3240 ><DIV
3241 CLASS="SECT1"
3242 ><HR><H1
3243 CLASS="SECT1"
3244 ><A
3245 NAME="AEN574"
3246 >Writing user interfaces</A
3247 ></H1
3248 ><P
3249 ><A
3250 HREF="http://www.cs.cmu.edu/~alma"
3251 TARGET="_top"
3252 >Alma Whitten</A
3253 > and
3254 <A
3255 HREF="http://www.cs.berkeley.edu/~tygar"
3256 TARGET="_top"
3257 >Doug Tygar</A
3258 > have done a
3259 <A
3260 HREF="http://reports-archive.adm.cs.cmu.edu/anon/1998/abstracts/98-155.html"
3261 TARGET="_top"
3262 >study</A
3263 >
3264 on NAI's PGP 5.0 user interface and came to the conclusion
3265 that novice users find PGP confusing and frustrating.
3266 In their human factors study, only four out of twelve test subjects
3267 managed to correctly send encrypted email to their team members,
3268 and three out of twelve emailed the secret without encryption.
3269 Furthermore, half of the test subjects had a technical background.</P
3270 ><P
3271 >These results are not surprising.
3272 PGP 5.0 has a nice user interface that is excellent if you already
3273 understand how public-key encryption works and are familiar with
3274 the web-of-trust key management model specified by OpenPGP.
3275 Unfortunately, novice users understand neither public-key encryption
3276 nor key management, and the user interface does little to help.</P
3277 ><P
3278 >You should certainly read Whitten and Tygar's report if you are writing
3279 a user interface.
3280 It gives specific comments from each of the test subjects, and those
3281 details are enlightening.
3282 For example, it would appear that many of subjects believed that a
3283 message being sent to other people should be encrypted to the test
3284 subject's own public key.
3285 Consider it for a minute, and you will see that it is an easy mistake
3286 to make.
3287 In general, novice users have difficulty understanding the different
3288 roles of the public key and private key when using GnuPG.
3289 As a user interface designer, you should try to make it clear at
3290 all times when one of the two keys is being used.
3291 You could also use wizards or other common GUI techniques for
3292 guiding the user through common tasks, such as key generation, where
3293 extra steps, such as generating a key revocation certification and
3294 making a backup, are all but essential for using GnuPG correctly.
3295 Other comments from the paper include the following.
3296 <P
3297 ></P
3298 ><UL
3299 ><LI
3300 ><P
3301 >Security is usually a secondary goal; people want to send
3302 email, browse, and so on.
3303 Do not assume users will be motivated to read manuals or go
3304 looking for security controls.</P
3305 ></LI
3306 ><LI
3307 ><P
3308 >The security of a networked computer is only as strong as its
3309 weakest component.
3310 Users need to be guided to attend to all aspects of their security,
3311 not left to proceed through random exploration as they might with a
3312 word processor or a spreadsheet.</P
3313 ></LI
3314 ><LI
3315 ><P
3316 >Consistently use the same terms for the same actions.
3317 Do not alternate between synonyms like ``encrypt'' and
3318 ``encipher''.</P
3319 ></LI
3320 ><LI
3321 ><P
3322 >For inexperienced users, simplify the display.
3323 Too much information hides the important information.
3324 An initial display configuration could concentrate on giving
3325 the user the correct model of the relationship between public
3326 and private keys and a clear understanding of the functions
3327 for acquiring and distributing keys.</P
3328 ></LI
3329 ></UL
3330 ></P
3331 ><P
3332 >Designing an effective user interface for key management is even more
3333 difficult.
3334 The OpenPGP web-of-trust model is unfortunately quite obtuse.
3335 For example, the specification imposes three arbitrary trust levels
3336 onto the user: none, marginal, and complete.
3337 All degrees of trust felt by the user must be fit into one of those
3338 three cubbyholes.
3339 The key validation algorithm is also difficult for non-computer scientists
3340 to understand, particularly the notions of ``marginals needed'' and
3341 ``completes needed''.
3342 Since the web-of-trust model is well-specified and cannot be changed,
3343 you will have to do your best and design a user interface that helps
3344 to clarify it for the user.
3345 A definite improvement, for example, would be to generate a diagram of how
3346 a key was validated when requested by the user.
3347 Relevant comments from the paper include the following.
3348 <P
3349 ></P
3350 ><UL
3351 ><LI
3352 ><P
3353 >Users are likely to be uncertain on how and when to grant accesses.</P
3354 ></LI
3355 ><LI
3356 ><P
3357 >Place a high priority on making sure users understand their
3358 security well enough to prevent them from making potentially
3359 high-cost mistakes.
3360 Such mistakes include
3361 accidentally deleting the private key,
3362 accidentally publicizing a key, accidentally revoking a key,
3363 forgetting the pass phrase, and failing to back up the key rings.</P
3364 ></LI
3365 ></UL
3366 ></P
3367 ></DIV
3368 ></DIV
3369 ><DIV
3370 CLASS="APPENDIX"
3371 ><HR><H1
3372 ><A
3373 NAME="GFDL"
3374 >Appendix A. GNU Free Documentation License</A
3375 ></H1
3376 ><P
3377 >Version 1.1, March 2000</P
3378 ><BLOCKQUOTE
3379 CLASS="BLOCKQUOTE"
3380 ><P
3381 >Copyright (C) 2000 Free Software Foundation, Inc.
3382 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
3383 Everyone is permitted to copy and distribute verbatim copies
3384 of this license document, but changing it is not allowed.</P
3385 ></BLOCKQUOTE
3386 ><DIV
3387 CLASS="SECT1"
3388 ><HR><H1
3389 CLASS="SECT1"
3390 ><A
3391 NAME="AEN604"
3392 >0. PREAMBLE</A
3393 ></H1
3394 ><P
3395 >The purpose of this License is to make a manual, textbook,
3396 or other written document "free" in the sense of freedom: to
3397 assure everyone the effective freedom to copy and redistribute it,
3398 with or without modifying it, either commercially or
3399 noncommercially. Secondarily, this License preserves for the
3400 author and publisher a way to get credit for their work, while not
3401 being considered responsible for modifications made by
3402 others.</P
3403 ><P
3404 >This License is a kind of "copyleft", which means that
3405 derivative works of the document must themselves be free in the
3406 same sense. It complements the GNU General Public License, which
3407 is a copyleft license designed for free software.</P
3408 ><P
3409 >We have designed this License in order to use it for manuals
3410 for free software, because free software needs free documentation:
3411 a free program should come with manuals providing the same
3412 freedoms that the software does. But this License is not limited
3413 to software manuals; it can be used for any textual work,
3414 regardless of subject matter or whether it is published as a
3415 printed book. We recommend this License principally for works
3416 whose purpose is instruction or reference.</P
3417 ></DIV
3418 ><DIV
3419 CLASS="SECT1"
3420 ><HR><H1
3421 CLASS="SECT1"
3422 ><A
3423 NAME="AEN609"
3424 >1. APPLICABILITY AND DEFINITIONS</A
3425 ></H1
3426 ><P
3427 >This License applies to any manual or other work that
3428 contains a notice placed by the copyright holder saying it can be
3429 distributed under the terms of this License. The "Document",
3430 below, refers to any such manual or work. Any member of the
3431 public is a licensee, and is addressed as "you".</P
3432 ><P
3433 >A "Modified Version" of the Document means any work
3434 containing the Document or a portion of it, either copied
3435 verbatim, or with modifications and/or translated into another
3436 language.</P
3437 ><P
3438 >A "Secondary Section" is a named appendix or a front-matter
3439 section of the Document that deals exclusively with the
3440 relationship of the publishers or authors of the Document to the
3441 Document's overall subject (or to related matters) and contains
3442 nothing that could fall directly within that overall subject.
3443 (For example, if the Document is in part a textbook of
3444 mathematics, a Secondary Section may not explain any mathematics.)
3445 The relationship could be a matter of historical connection with
3446 the subject or with related matters, or of legal, commercial,
3447 philosophical, ethical or political position regarding
3448 them.</P
3449 ><P
3450 >The "Invariant Sections" are certain Secondary Sections
3451 whose titles are designated, as being those of Invariant Sections,
3452 in the notice that says that the Document is released under this
3453 License.</P
3454 ><P
3455 >The "Cover Texts" are certain short passages of text that
3456 are listed, as Front-Cover Texts or Back-Cover Texts, in the
3457 notice that says that the Document is released under this
3458 License.</P
3459 ><P
3460 >A "Transparent" copy of the Document means a
3461 machine-readable copy, represented in a format whose specification
3462 is available to the general public, whose contents can be viewed
3463 and edited directly and straightforwardly with generic text
3464 editors or (for images composed of pixels) generic paint programs
3465 or (for drawings) some widely available drawing editor, and that
3466 is suitable for input to text formatters or for automatic
3467 translation to a variety of formats suitable for input to text
3468 formatters. A copy made in an otherwise Transparent file format
3469 whose markup has been designed to thwart or discourage subsequent
3470 modification by readers is not Transparent. A copy that is not
3471 "Transparent" is called "Opaque".</P
3472 ><P
3473 >Examples of suitable formats for Transparent copies include
3474 plain ASCII without markup, Texinfo input format, LaTeX input
3475 format, SGML or XML using a publicly available DTD, and
3476 standard-conforming simple HTML designed for human modification.
3477 Opaque formats include PostScript, PDF, proprietary formats that
3478 can be read and edited only by proprietary word processors, SGML
3479 or XML for which the DTD and/or processing tools are not generally
3480 available, and the machine-generated HTML produced by some word
3481 processors for output purposes only.</P
3482 ><P
3483 >The "Title Page" means, for a printed book, the title page
3484 itself, plus such following pages as are needed to hold, legibly,
3485 the material this License requires to appear in the title page.
3486 For works in formats which do not have any title page as such,
3487 "Title Page" means the text near the most prominent appearance of
3488 the work's title, preceding the beginning of the body of the
3489 text.</P
3490 ></DIV
3491 ><DIV
3492 CLASS="SECT1"
3493 ><HR><H1
3494 CLASS="SECT1"
3495 ><A
3496 NAME="AEN619"
3497 >2. VERBATIM COPYING</A
3498 ></H1
3499 ><P
3500 >You may copy and distribute the Document in any medium,
3501 either commercially or noncommercially, provided that this
3502 License, the copyright notices, and the license notice saying this
3503 License applies to the Document are reproduced in all copies, and
3504 that you add no other conditions whatsoever to those of this
3505 License. You may not use technical measures to obstruct or
3506 control the reading or further copying of the copies you make or
3507 distribute. However, you may accept compensation in exchange for
3508 copies. If you distribute a large enough number of copies you
3509 must also follow the conditions in section 3.</P
3510 ><P
3511 >You may also lend copies, under the same conditions stated
3512 above, and you may publicly display copies.</P
3513 ></DIV
3514 ><DIV
3515 CLASS="SECT1"
3516 ><HR><H1
3517 CLASS="SECT1"
3518 ><A
3519 NAME="AEN623"
3520 >3. COPYING IN QUANTITY</A
3521 ></H1
3522 ><P
3523 >If you publish printed copies of the Document numbering more
3524 than 100, and the Document's license notice requires Cover Texts,
3525 you must enclose the copies in covers that carry, clearly and
3526 legibly, all these Cover Texts: Front-Cover Texts on the front
3527 cover, and Back-Cover Texts on the back cover. Both covers must
3528 also clearly and legibly identify you as the publisher of these
3529 copies. The front cover must present the full title with all
3530 words of the title equally prominent and visible. You may add
3531 other material on the covers in addition. Copying with changes
3532 limited to the covers, as long as they preserve the title of the
3533 Document and satisfy these conditions, can be treated as verbatim
3534 copying in other respects.</P
3535 ><P
3536 >If the required texts for either cover are too voluminous to
3537 fit legibly, you should put the first ones listed (as many as fit
3538 reasonably) on the actual cover, and continue the rest onto
3539 adjacent pages.</P
3540 ><P
3541 >If you publish or distribute Opaque copies of the Document
3542 numbering more than 100, you must either include a
3543 machine-readable Transparent copy along with each Opaque copy, or
3544 state in or with each Opaque copy a publicly-accessible
3545 computer-network location containing a complete Transparent copy
3546 of the Document, free of added material, which the general
3547 network-using public has access to download anonymously at no
3548 charge using public-standard network protocols. If you use the
3549 latter option, you must take reasonably prudent steps, when you
3550 begin distribution of Opaque copies in quantity, to ensure that
3551 this Transparent copy will remain thus accessible at the stated
3552 location until at least one year after the last time you
3553 distribute an Opaque copy (directly or through your agents or
3554 retailers) of that edition to the public.</P
3555 ><P
3556 >It is requested, but not required, that you contact the
3557 authors of the Document well before redistributing any large
3558 number of copies, to give them a chance to provide you with an
3559 updated version of the Document.</P
3560 ></DIV
3561 ><DIV
3562 CLASS="SECT1"
3563 ><HR><H1
3564 CLASS="SECT1"
3565 ><A
3566 NAME="AEN629"
3567 >4. MODIFICATIONS</A
3568 ></H1
3569 ><P
3570 >You may copy and distribute a Modified Version of the
3571 Document under the conditions of sections 2 and 3 above, provided
3572 that you release the Modified Version under precisely this
3573 License, with the Modified Version filling the role of the
3574 Document, thus licensing distribution and modification of the
3575 Modified Version to whoever possesses a copy of it. In addition,
3576 you must do these things in the Modified Version:</P
3577 ><P
3578 ></P
3579 ><OL
3580 TYPE="A"
3581 ><LI
3582 ><P
3583 >Use in the Title Page
3584 (and on the covers, if any) a title distinct from that of the
3585 Document, and from those of previous versions (which should, if
3586 there were any, be listed in the History section of the
3587 Document). You may use the same title as a previous version if
3588 the original publisher of that version gives permission.</P
3589 ></LI
3590 ><LI
3591 ><P
3592 >List on the Title Page,
3593 as authors, one or more persons or entities responsible for
3594 authorship of the modifications in the Modified Version,
3595 together with at least five of the principal authors of the
3596 Document (all of its principal authors, if it has less than
3597 five).</P
3598 ></LI
3599 ><LI
3600 ><P
3601 >State on the Title page
3602 the name of the publisher of the Modified Version, as the
3603 publisher.</P
3604 ></LI
3605 ><LI
3606 ><P
3607 >Preserve all the
3608 copyright notices of the Document.</P
3609 ></LI
3610 ><LI
3611 ><P
3612 >Add an appropriate
3613 copyright notice for your modifications adjacent to the other
3614 copyright notices.</P
3615 ></LI
3616 ><LI
3617 ><P
3618 >Include, immediately
3619 after the copyright notices, a license notice giving the public
3620 permission to use the Modified Version under the terms of this
3621 License, in the form shown in the Addendum below.</P
3622 ></LI
3623 ><LI
3624 ><P
3625 >Preserve in that license
3626 notice the full lists of Invariant Sections and required Cover
3627 Texts given in the Document's license notice.</P
3628 ></LI
3629 ><LI
3630 ><P
3631 >Include an unaltered
3632 copy of this License.</P
3633 ></LI
3634 ><LI
3635 ><P
3636 >Preserve the section
3637 entitled "History", and its title, and add to it an item stating
3638 at least the title, year, new authors, and publisher of the
3639 Modified Version as given on the Title Page. If there is no
3640 section entitled "History" in the Document, create one stating
3641 the title, year, authors, and publisher of the Document as given
3642 on its Title Page, then add an item describing the Modified
3643 Version as stated in the previous sentence.</P
3644 ></LI
3645 ><LI
3646 ><P
3647 >Preserve the network
3648 location, if any, given in the Document for public access to a
3649 Transparent copy of the Document, and likewise the network
3650 locations given in the Document for previous versions it was
3651 based on. These may be placed in the "History" section. You
3652 may omit a network location for a work that was published at
3653 least four years before the Document itself, or if the original
3654 publisher of the version it refers to gives permission.</P
3655 ></LI
3656 ><LI
3657 ><P
3658 >In any section entitled
3659 "Acknowledgements" or "Dedications", preserve the section's
3660 title, and preserve in the section all the substance and tone of
3661 each of the contributor acknowledgements and/or dedications
3662 given therein.</P
3663 ></LI
3664 ><LI
3665 ><P
3666 >Preserve all the
3667 Invariant Sections of the Document, unaltered in their text and
3668 in their titles. Section numbers or the equivalent are not
3669 considered part of the section titles.</P
3670 ></LI
3671 ><LI
3672 ><P
3673 >Delete any section
3674 entitled "Endorsements". Such a section may not be included in
3675 the Modified Version.</P
3676 ></LI
3677 ><LI
3678 ><P
3679 >Do not retitle any
3680 existing section as "Endorsements" or to conflict in title with
3681 any Invariant Section.</P
3682 ></LI
3683 ></OL
3684 ><P
3685 >If the Modified Version includes new front-matter sections
3686 or appendices that qualify as Secondary Sections and contain no
3687 material copied from the Document, you may at your option
3688 designate some or all of these sections as invariant. To do this,
3689 add their titles to the list of Invariant Sections in the Modified
3690 Version's license notice. These titles must be distinct from any
3691 other section titles.</P
3692 ><P
3693 >You may add a section entitled "Endorsements", provided it
3694 contains nothing but endorsements of your Modified Version by
3695 various parties--for example, statements of peer review or that
3696 the text has been approved by an organization as the authoritative
3697 definition of a standard.</P
3698 ><P
3699 >You may add a passage of up to five words as a Front-Cover
3700 Text, and a passage of up to 25 words as a Back-Cover Text, to the
3701 end of the list of Cover Texts in the Modified Version. Only one
3702 passage of Front-Cover Text and one of Back-Cover Text may be
3703 added by (or through arrangements made by) any one entity. If the
3704 Document already includes a cover text for the same cover,
3705 previously added by you or by arrangement made by the same entity
3706 you are acting on behalf of, you may not add another; but you may
3707 replace the old one, on explicit permission from the previous
3708 publisher that added the old one.</P
3709 ><P
3710 >The author(s) and publisher(s) of the Document do not by
3711 this License give permission to use their names for publicity for
3712 or to assert or imply endorsement of any Modified Version.</P
3713 ></DIV
3714 ><DIV
3715 CLASS="SECT1"
3716 ><HR><H1
3717 CLASS="SECT1"
3718 ><A
3719 NAME="AEN665"
3720 >5. COMBINING DOCUMENTS</A
3721 ></H1
3722 ><P
3723 >You may combine the Document with other documents released
3724 under this License, under the terms defined in section 4 above for
3725 modified versions, provided that you include in the combination
3726 all of the Invariant Sections of all of the original documents,
3727 unmodified, and list them all as Invariant Sections of your
3728 combined work in its license notice.</P
3729 ><P
3730 >The combined work need only contain one copy of this
3731 License, and multiple identical Invariant Sections may be replaced
3732 with a single copy. If there are multiple Invariant Sections with
3733 the same name but different contents, make the title of each such
3734 section unique by adding at the end of it, in parentheses, the
3735 name of the original author or publisher of that section if known,
3736 or else a unique number. Make the same adjustment to the section
3737 titles in the list of Invariant Sections in the license notice of
3738 the combined work.</P
3739 ><P
3740 >In the combination, you must combine any sections entitled
3741 "History" in the various original documents, forming one section
3742 entitled "History"; likewise combine any sections entitled
3743 "Acknowledgements", and any sections entitled "Dedications". You
3744 must delete all sections entitled "Endorsements."</P
3745 ></DIV
3746 ><DIV
3747 CLASS="SECT1"
3748 ><HR><H1
3749 CLASS="SECT1"
3750 ><A
3751 NAME="AEN670"
3752 >6. COLLECTIONS OF DOCUMENTS</A
3753 ></H1
3754 ><P
3755 >You may make a collection consisting of the Document and
3756 other documents released under this License, and replace the
3757 individual copies of this License in the various documents with a
3758 single copy that is included in the collection, provided that you
3759 follow the rules of this License for verbatim copying of each of
3760 the documents in all other respects.</P
3761 ><P
3762 >You may extract a single document from such a collection,
3763 and distribute it individually under this License, provided you
3764 insert a copy of this License into the extracted document, and
3765 follow this License in all other respects regarding verbatim
3766 copying of that document.</P
3767 ></DIV
3768 ><DIV
3769 CLASS="SECT1"
3770 ><HR><H1
3771 CLASS="SECT1"
3772 ><A
3773 NAME="AEN674"
3774 >7. AGGREGATION WITH INDEPENDENT WORKS</A
3775 ></H1
3776 ><P
3777 >A compilation of the Document or its derivatives with other
3778 separate and independent documents or works, in or on a volume of
3779 a storage or distribution medium, does not as a whole count as a
3780 Modified Version of the Document, provided no compilation
3781 copyright is claimed for the compilation. Such a compilation is
3782 called an "aggregate", and this License does not apply to the
3783 other self-contained works thus compiled with the Document, on
3784 account of their being thus compiled, if they are not themselves
3785 derivative works of the Document.</P
3786 ><P
3787 >If the Cover Text requirement of section 3 is applicable to
3788 these copies of the Document, then if the Document is less than
3789 one quarter of the entire aggregate, the Document's Cover Texts
3790 may be placed on covers that surround only the Document within the
3791 aggregate. Otherwise they must appear on covers around the whole
3792 aggregate.</P
3793 ></DIV
3794 ><DIV
3795 CLASS="SECT1"
3796 ><HR><H1
3797 CLASS="SECT1"
3798 ><A
3799 NAME="AEN678"
3800 >8. TRANSLATION</A
3801 ></H1
3802 ><P
3803 >Translation is considered a kind of modification, so you may
3804 distribute translations of the Document under the terms of section
3805 4. Replacing Invariant Sections with translations requires
3806 special permission from their copyright holders, but you may
3807 include translations of some or all Invariant Sections in addition
3808 to the original versions of these Invariant Sections. You may
3809 include a translation of this License provided that you also
3810 include the original English version of this License. In case of
3811 a disagreement between the translation and the original English
3812 version of this License, the original English version will
3813 prevail.</P
3814 ></DIV
3815 ><DIV
3816 CLASS="SECT1"
3817 ><HR><H1
3818 CLASS="SECT1"
3819 ><A
3820 NAME="AEN681"
3821 >9. TERMINATION</A
3822 ></H1
3823 ><P
3824 >You may not copy, modify, sublicense, or distribute the
3825 Document except as expressly provided for under this License. Any
3826 other attempt to copy, modify, sublicense or distribute the
3827 Document is void, and will automatically terminate your rights
3828 under this License. However, parties who have received copies, or
3829 rights, from you under this License will not have their licenses
3830 terminated so long as such parties remain in full
3831 compliance.</P
3832 ></DIV
3833 ><DIV
3834 CLASS="SECT1"
3835 ><HR><H1
3836 CLASS="SECT1"
3837 ><A
3838 NAME="AEN684"
3839 >10. FUTURE REVISIONS OF THIS LICENSE</A
3840 ></H1
3841 ><P
3842 >The Free Software Foundation may publish new, revised
3843 versions of the GNU Free Documentation License from time to time.
3844 Such new versions will be similar in spirit to the present
3845 version, but may differ in detail to address new problems or
3846 concerns. See <A
3847 HREF="http://www.gnu.org/copyleft/"
3848 TARGET="_top"
3849 >http://www.gnu.org/copyleft/</A
3850 >.</P
3851 ><P
3852 >Each version of the License is given a distinguishing
3853 version number. If the Document specifies that a particular
3854 numbered version of this License "or any later version" applies to
3855 it, you have the option of following the terms and conditions
3856 either of that specified version or of any later version that has
3857 been published (not as a draft) by the Free Software Foundation.
3858 If the Document does not specify a version number of this License,
3859 you may choose any version ever published (not as a draft) by the
3860 Free Software Foundation.</P
3861 ></DIV
3862 ><DIV
3863 CLASS="SECT1"
3864 ><HR><H1
3865 CLASS="SECT1"
3866 ><A
3867 NAME="AEN689"
3868 >How to use this License for your documents</A
3869 ></H1
3870 ><P
3871 >To use this License in a document you have written, include
3872 a copy of the License in the document and put the following
3873 copyright and license notices just after the title page:</P
3874 ><BLOCKQUOTE
3875 CLASS="BLOCKQUOTE"
3876 ><P
3877 > Copyright (c) YEAR YOUR NAME.
3878 Permission is granted to copy, distribute and/or modify this document
3879 under the terms of the GNU Free Documentation License, Version 1.1
3880 or any later version published by the Free Software Foundation;
3881 with the Invariant Sections being LIST THEIR TITLES, with the
3882 Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
3883 A copy of the license is included in the section entitled "GNU
3884 Free Documentation License".</P
3885 ></BLOCKQUOTE
3886 ><P
3887 >If you have no Invariant Sections, write "with no Invariant
3888 Sections" instead of saying which ones are invariant. If you have
3889 no Front-Cover Texts, write "no Front-Cover Texts" instead of
3890 "Front-Cover Texts being LIST"; likewise for Back-Cover
3891 Texts.</P
3892 ><P
3893 >If your document contains nontrivial examples of program
3894 code, we recommend releasing these examples in parallel under your
3895 choice of free software license, such as the GNU General Public
3896 License, to permit their use in free software.</P
3897 ></DIV
3898 ></DIV
3899 ></DIV
3900 ><H3
3901 CLASS="FOOTNOTES"
3902 >Notes</H3
3903 ><TABLE
3904 BORDER="0"
3905 CLASS="FOOTNOTES"
3906 WIDTH="100%"
3907 ><TR
3908 ><TD
3909 ALIGN="LEFT"
3910 VALIGN="TOP"
3911 WIDTH="5%"
3912 ><A
3913 NAME="FTN.AEN34"
3914 HREF="#AEN34"
3915 >[1]</A
3916 ></TD
3917 ><TD
3918 ALIGN="LEFT"
3919 VALIGN="TOP"
3920 WIDTH="95%"
3921 ><P
3922 >Option 3 is to generate an ElGamal keypair that is
3923 not usable for making signatures.</P
3924 ></TD
3925 ></TR
3926 ><TR
3927 ><TD
3928 ALIGN="LEFT"
3929 VALIGN="TOP"
3930 WIDTH="5%"
3931 ><A
3932 NAME="FTN.AEN77"
3933 HREF="#AEN77"
3934 >[2]</A
3935 ></TD
3936 ><TD
3937 ALIGN="LEFT"
3938 VALIGN="TOP"
3939 WIDTH="95%"
3940 ><P
3941 >Many
3942 command-line options that are frequently used can also be set in a
3943 configuration file.</P
3944 ></TD
3945 ></TR
3946 ><TR
3947 ><TD
3948 ALIGN="LEFT"
3949 VALIGN="TOP"
3950 WIDTH="5%"
3951 ><A
3952 NAME="FTN.AEN230"
3953 HREF="#AEN230"
3954 >[3]</A
3955 ></TD
3956 ><TD
3957 ALIGN="LEFT"
3958 VALIGN="TOP"
3959 WIDTH="95%"
3960 ><P
3961 >The cipher must have the property that the actual public key or private
3962 key could be used by the encryption algorithm as the public key.
3963 RSA is an example of such an algorithm while ElGamal is not an example.</P
3964 ></TD
3965 ></TR
3966 ><TR
3967 ><TD
3968 ALIGN="LEFT"
3969 VALIGN="TOP"
3970 WIDTH="5%"
3971 ><A
3972 NAME="FTN.AEN378"
3973 HREF="#AEN378"
3974 >[4]</A
3975 ></TD
3976 ><TD
3977 ALIGN="LEFT"
3978 VALIGN="TOP"
3979 WIDTH="95%"
3980 ><P
3981 >GnuPG overloads the word ``trust'' by using it to mean
3982 trust in an owner and trust in a key.
3983 This can be confusing.
3984 Sometimes trust in an owner is referred to as
3985 <I
3986 CLASS="FIRSTTERM"
3987 >owner-trust</I
3988 > to
3989 distinguish it from trust in a key.
3990 Throughout this manual, however, ``trust'' is used to
3991 mean trust in a key's
3992 owner, and ``validity'' is used to mean trust that a key
3993 belongs to the human associated with the key ID.</P
3994 ></TD
3995 ></TR
3996 ><TR
3997 ><TD
3998 ALIGN="LEFT"
3999 VALIGN="TOP"
4000 WIDTH="5%"
4001 ><A
4002 NAME="FTN.AEN557"
4003 HREF="#AEN557"
4004 >[5]</A
4005 ></TD
4006 ><TD
4007 ALIGN="LEFT"
4008 VALIGN="TOP"
4009 WIDTH="95%"
4010 ><P
4011 >In this section, GnuPG refers to the
4012 GnuPG implementation of OpenPGP as well as other implementations
4013 such as NAI's PGP product.</P
4014 ></TD
4015 ></TR
4016 ></TABLE
4017 ></BODY
4018 ></HTML
4019