their key's "fingerprint" to them. tiresome (ASCII-armored) key to them over the phone, you can just read and verify their key over the telephone. Rather than reading their whole know this person and would recognize them on the phone, is to call them the one you received the key through. One convenient way to tell, if you uncertified key is to verify it over some independent channel other than trust, how can you tell if it's really their key? The best way to verify an If you get a public key from someone that is not certified by anyone you  to get the key trust network started for your circle of friends. sign each other's keys with confidence. This is a safe and convenient way her end. You can both verify each other's keys this way, and then you can phone, while she checks it against her own, using the same command at key components. Read this 16-byte fingerprint to the key's owner on the This command will display the key with the 16-byte digest of the public  • Fingerprint key...  certificate. extract your public key together with the attached revocation public keyring. Then use the "extract" command (see above) to "revocation certificate" will be attached to your public key in your This command is also used to revoke your own key. In this case a completely lost (in which case it should be removed) but "on hold". keyfile. This is useful to indicate that the trust of the key is not This command can be used to temporarily enable or disable keys in a  • Disable/enable key...  accordingly. trustworthy so that PGP will update trust values for affected keys You can use this to indicate that a signature is no longer considered Use this command to remove the signatures associated with a given key.  • Remove signatures...  other user IDs intact. to remove only the user ID you specified, while leaving the key and its If more than one user ID exists for this key, you will be asked if you want  file name. you want to remove a secret key. You may specify a different key ring "pubring.pgp". It can be omitted, or you can specify "secring.pgp" if for a match. The optional keyring file name is assumed to be literally it finds a match. Remember that any fragment of the user ID will suffice PGP searches for the specified user ID in your key ring, and removes it if Use this command to remove a key or a user ID from your public key ring.  • Remove Key...  allows people to better choose who they can trust for key management." reflects the natural way humans interact on a personal social level, and emphasize this organic decentralized non-institutional approach. It better probably work better than a centralized key server. PGP tends to allowing all users to act as a trusted introducers for their friends would "For more decentralized grassroots 'guerrilla style' environments,  from Tampering" in the Special Topics volume: own scheme. Phil Zimmerman writes under "How to Protect Public Keys authorities and hierarchies" but PGP simply lets the user choose their Complex systems and structures have been proposed for "certifying to a "spoofing" attack whereby the intermediary supplies a false key. If you received the key for a person via a third party, you are susceptible the trust parameters are a method of judging the authenticity of the keys. Valid?" in the Essential Topics volume of the PGP User's Guide. In short, mean, see the section "How Does PGP Keep Track of Which Keys are your public key ring. For a discussion on what these trust parameters Sometimes you need to alter the trust parameters for a public key on  up your key on the key ring. more than one user ID to your key, any one of which may be used to look more than one name or E-mail address or job title. PGP lets you attach add a second or third user ID to your key, because you may be known by name, or maybe you changed your E-mail address. Or maybe you want to need to change your user ID, because you got married and changed your someone looked over your shoulder while you typed it in. Or you may Sometimes you may need to change your pass phrase, perhaps because  the pass phrase for your secret key. someone else's key, to edit your userid on your public key, or to change Use this command to change the trust parameters associated with  • Edit Key...  the Essential Topics volume. Tampering" and "How Does PGP Keep Track of Which Keys are Valid?" in For further details, see the sections "How to Protect Public Keys from  trusting the key's owner. wouldn't trust that key's owner. Trusting a key is not the same as belonging to him because you signed it (assuming they trust you), but they that the key really belonged to him. Other people would accept that key as by signing the public key of a sociopath, if you were completely confident ownership) of that person's public key. You aren't risking your credibility for the integrity of that person, but only vouches for the integrity (the Bear in mind that your signature on a public key certificate does not vouch  the Phone" in the Special Topics volume for further details. "Fingerprint key" command and the section "Verifying a Public Key Over her key-and make sure you really are talking to the right person. See the the key file to her to get her to confirm that the key you have really is that key. Perhaps you could call the key's owner on the phone and read should require your own independent firsthand knowledge of who owns from trusted introducers should suffice. But to sign a key yourself, you To be convinced of a key's validity enough to use it, certifying signatures ownership than if you merely want to use that key to encrypt a message. In order to sign a public key, you must be far more certain of that key's  from her. belongs to her. Preferably, you should sign it only if you got it directly public key unless you have independent firsthand knowledge that it really your signature. It may be ill-advised to rely on hearsay-- don't sign her Other people who trust you will accept her public key because it bears certificate is a promise by you that this public key really belongs to her. public key certificate. This is because your signature on her public key certain that it really belongs to that person named in the user ID of that If you are asked to sign someone else's public key certificate, make  'introducer' for that key to others by passing them the certificate. you to attest its authenticity. You serve as the intermediate trusted genuine. A file 'certificate' is created holding their public key signed by Use this command to certify someone else's key in your keyring as  • Certify Key  Options menu. suitable for email purposes, use the "ASCII Output" flag under the If you want the extracted key represented in printable ASCII characters  they are copied off along with the key. If the key has any certifying signatures attached to it on your key ring,  approach used to give a copy of your public key to someone else. your public or secret key ring to the specified key file. This is the ring. This non-destructively copies the key specified by the user ID from Use this command to extract (copy) a key from your public or secret key  • Extract Key...  the Essential Topics volume. Tampering" and "How Does PGP Keep Track of Which Keys are Valid?" in For further details, see the sections "How to Protect Public Keys from  write-protected media. automatically compare your public key against a backup copy on your own ultimately-trusted public key, PGP can be set up to important key to protect from tampering. To detect any tampering of or indirectly certify all the other keys on your key ring, it is the most Since your own trusted public key is used as a final authority to directly  key ring. maintenance periodically to make sure nothing is wrong with your public write-protected floppy disk. It may be a good idea to do this hygienic checking your own ultimately-trusted key against a backup copy on a checking the trust parameters, updating all the validity scores, and analysis of your public key ring, checking all the certifying signatures, you may want to explicitly force PGP to perform a comprehensive material is added to or deleted from your public key ring. But perhaps In theory, it keeps all the key validity status information up to date as public key ring and updates all the trust parameters and validity scores. Normally, PGP automatically checks any new keys or signatures on your  parameters and validity scores associated with keys are derived. signatures of introducers attesting to authenticity, from which trust key ring check command. Associated with the keys in a keyring are To have MacPGP perform a full analysis of your public key ring, use the  • Check signatures...  "verbose" flag under the Options menu. To see all the certifying signatures attached to each key, use the  want to specify a different key ring file name, you can. you can specify "secring.pgp" if you want to list secret keys. If you keyring file name is assumed to be "pubring.pgp". It can be omitted, or omit the user ID, all of the keys in the key ring are listed. The optional any keys in the key ring that match the specified user ID substring. If you Use this command to view the contents of your public key ring. This lists  • View keyring...  already have on your key ring. merges in any new certifying signatures for that key that you don't added with the key. If the key is already on your key ring, PGP just key being added has attached signatures certifying it, the signatures are keys in the keyfile are added to the keyring, except for duplicates. If the If the key is already on your key ring, PGP will not add it again. All of the  "Options" menu. secret key. You may specify a different key ring file name under the "secring.pgp", depending on whether the keyfile contains a public or a The optional keyring file name defaults to "pubring.pgp" or  key file may contain multiple keys. public or secret key ring (note that [brackets] denote an optional field). A Use this command to add a public or secret key file's contents to your  • Add keys...  from the existence of a secure "revocation certificates". in that people are being asked to make key modifications on faith and not Also, whenever this happens, it weakens the security of the 'trust web' pair, who have to communicate with you and replace it with your new one. will cause inconvenience to everyone who holds that public key half of the storage media or carelessness-make backups! If you lose your key you Make sure you don't lose your unique public and private key pair to faulty  your own personal computer. exposing it by storing it on a remote timesharing computer. Keep it on pair. Always keep physical control of your secret key, and don't risk make key pairs for your friends. Everyone should make their own key Never give your secret key to anyone else. For the same reason, don't  protected with its own pass phrase. your secret key ring. Each secret key on a key ring is individually you keep your secret key file to yourself, and you should include it on be sent to your friends for inclusion in their public key rings. Naturally, key file suitable for distribution to your friends. The public key file can new public key from your public key ring and place it in a separate public You can later use the "Extract" command option to extract (copy) your The generated key pair will be placed on your public and secret key rings.  lengthy process. keystrokes with a fast timer. Note that RSA key generation is a VERY random numbers generated from measuring the intervals between your The public/secret key pair is derived from the RSA process and large  prompt. phrase (You fool!), just press return (or enter) at the pass phrase see it, and don't store it on your computer. If you don't want a pass screen. Don't leave it written down anywhere where someone else can and should not be too short or easy to guess. It is never displayed on the every time you use your secret key. The pass phrase is case-sensitive, to recover it if you do lose it. This pass phrase will be needed later anything else you want in it. Don't lose this pass phrase-there's no way be a whole phrase or sentence with many words, spaces, punctuation, or this pass phrase. The pass phrase is like a password, except that it can falls into the wrong hands. Nobody can use your secret key file without PGP also asks for a "pass phrase" to protect your secret key in case it  unique information that would help ensure that your user ID is unique. If you don't have an E-mail address, use your phone number or some other  Robert M. Smith   your E-mail address in after your name, like so: Spaces and punctuation are allowed in the user ID. It would help if you put other people using the wrong public key to encrypt messages to you. use your full name as your user ID, because then there is less risk of PGP also asks for a user ID, which means your name. It's a good idea to  the more security you get, but you pay a price in speed. what size key you want, up to around a thousand bits. The bigger the key, (casual grade, commercial grade, or military grade) and prompts you for specified size. MacPGP shows you a menu of recommended key sizes Use this command to generate your own unique public/secret key pair of a  • Generate key...  features. of PGP and this Macintosh adaptation is its sophisticated key management hardest part of cryptography. One of the principal distinguishing features Since the time of Julius Caesar, key management has always been the  åThe Key Menu