PGP: Difference between revisions

← Older edit

PGP (view source)

Revision as of 12:21, 13 August 2022

37 bytes added , 13 August 2022

m

→‎Changing your key/passphrase: Minor cleanup

CecilWard

252

edits

Revision as of 09:53, 9 April 2019 (view source) AA-Andrew (talk \| contribs) (Created page with "<indicator name="Front">link=Category:Technical Documents\|30px\|Back up to the Technical Documents category</indicator> ==Introduction== PGP (Prett...")		Latest revision as of 12:21, 13 August 2022 (view source) CecilWard (talk \| contribs) m (→‎Changing your key/passphrase: Minor cleanup)
(2 intermediate revisions by 2 users not shown)
This diagram should help explain some of the principles. [[File:Public-key.png\|1000px]] =How to use PGP= ==Trust== One of the big issues with any system for associating an identity with a person (e.g. a PGP key with a real person) is proving that link. How do you know someone is who they say they are. How do you know that someone's key is theirs.? All keys have a fingerprint, which is easy enough to read out over the phone or check on a business card, etc. This is one way to check a key is genuine. You can then tell the key management software that you trust that the key ~~to be~~is genuine. It is also possible to say that you trust someone to sign other keys. For example, if you trust the Andrews & Arnold Ltd company key to sign other keys, then any of our staff keys will immediately appear to be valid when you download them from a key server because the key itself is digitally signed by the Andrews & Arnold Ltd company key. Even without knowing someone is who they say they are, PGP provides a ~~key~~crucial factor for communications - consistency. If you have been exchanging signed emails with someone called Fred Bloggs for years, then that is in effect who they are from your point of view. If they send an email with the same key as always, it is the same person you communicated with last time. ==Changing your key/passphrase== It is also possible to associate more names and email addresses with the same secret key, and revoke previous email address associations. This is handy if you use more than one email address, change email provider or even change your name as you can retain a consistent identity using the key. However, anyone counter signing your key only signs to say the association of name/email/etc with your key is valid and so would have to re-sign your key for other new people to trust it. Anyone who already trusts your key to represent you, would continue to do so. If you manage to expose your key, e.g. someone gets a copy and sees ~~you~~your passphrase, it is possible to revoke the key. ~~- this~~This is a signed statement that you load on key servers saying itthat the key is no longer valid. There is no real way to ensure all possible senders and recipients get this though, so take care with your key. You can set an expiry on a key. This helps if you think you may somehow expose the key to someone else. If you are confident in your own security principles, you could choose to have an non -expiring key. Expiring and changing keys can be inconvenient, but some people prefer to change keys every few years just to be sure no old key can possibly still be valid.▼ ▲You can set an expiry on a key. This helps if you think you may somehow expose the key to someone else. If you are confident in your own security principles you could choose to have an non expiring key. Expiring and changing keys can be inconvenient, but some people prefer to change keys every few years just to be sure no old key can possibly still be valid. ==Should you sign all emails?==