home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Crypto⁄Encryption
/
PGP
/
PowerMac603 PGP 2.6.3i.sit
/
PowerMac603 PGP 2.6.3i
/
PowerMac PGP 2.6.3iC15_603.rsrc
/
STR#_209.txt
< prev
next >
Wrap
Text File
|
1997-03-06
|
14KB
|
533 lines
their key's "fingerprint" to them.
tiresome (ASCII-armored) key to them over the phone, you can just read
and verify their key over the telephone. Rather than reading their whole
know this person and would recognize them on the phone, is to call them
the one you received the key through. One convenient way to tell, if you
uncertified key is to verify it over some independent channel other than
trust, how can you tell if it's really their key? The best way to verify an
If you get a public key from someone that is not certified by anyone you
to get the key trust network started for your circle of friends.
sign each other's keys with confidence. This is a safe and convenient way
her end. You can both verify each other's keys this way, and then you can
phone, while she checks it against her own, using the same command at
key components. Read this 16-byte fingerprint to the key's owner on the
This command will display the key with the 16-byte digest of the public
• Fingerprint key...
certificate.
extract your public key together with the attached revocation
public keyring. Then use the "extract" command (see above) to
"revocation certificate" will be attached to your public key in your
This command is also used to revoke your own key. In this case a
completely lost (in which case it should be removed) but "on hold".
keyfile. This is useful to indicate that the trust of the key is not
This command can be used to temporarily enable or disable keys in a
• Disable/enable key...
accordingly.
trustworthy so that PGP will update trust values for affected keys
You can use this to indicate that a signature is no longer considered
Use this command to remove the signatures associated with a given key.
• Remove signatures...
other user IDs intact.
to remove only the user ID you specified, while leaving the key and its
If more than one user ID exists for this key, you will be asked if you want
file name.
you want to remove a secret key. You may specify a different key ring
"pubring.pgp". It can be omitted, or you can specify "secring.pgp" if
for a match. The optional keyring file name is assumed to be literally
it finds a match. Remember that any fragment of the user ID will suffice
PGP searches for the specified user ID in your key ring, and removes it if
Use this command to remove a key or a user ID from your public key ring.
• Remove Key...
allows people to better choose who they can trust for key management."
reflects the natural way humans interact on a personal social level, and
emphasize this organic decentralized non-institutional approach. It better
probably work better than a centralized key server. PGP tends to
allowing all users to act as a trusted introducers for their friends would
"For more decentralized grassroots 'guerrilla style' environments,
from Tampering" in the Special Topics volume:
own scheme. Phil Zimmerman writes under "How to Protect Public Keys
authorities and hierarchies" but PGP simply lets the user choose their
Complex systems and structures have been proposed for "certifying
to a "spoofing" attack whereby the intermediary supplies a false key.
If you received the key for a person via a third party, you are susceptible
the trust parameters are a method of judging the authenticity of the keys.
Valid?" in the Essential Topics volume of the PGP User's Guide. In short,
mean, see the section "How Does PGP Keep Track of Which Keys are
your public key ring. For a discussion on what these trust parameters
Sometimes you need to alter the trust parameters for a public key on
up your key on the key ring.
more than one user ID to your key, any one of which may be used to look
more than one name or E-mail address or job title. PGP lets you attach
add a second or third user ID to your key, because you may be known by
name, or maybe you changed your E-mail address. Or maybe you want to
need to change your user ID, because you got married and changed your
someone looked over your shoulder while you typed it in. Or you may
Sometimes you may need to change your pass phrase, perhaps because
the pass phrase for your secret key.
someone else's key, to edit your userid on your public key, or to change
Use this command to change the trust parameters associated with
• Edit Key...
the Essential Topics volume.
Tampering" and "How Does PGP Keep Track of Which Keys are Valid?" in
For further details, see the sections "How to Protect Public Keys from
trusting the key's owner.
wouldn't trust that key's owner. Trusting a key is not the same as
belonging to him because you signed it (assuming they trust you), but they
that the key really belonged to him. Other people would accept that key as
by signing the public key of a sociopath, if you were completely confident
ownership) of that person's public key. You aren't risking your credibility
for the integrity of that person, but only vouches for the integrity (the
Bear in mind that your signature on a public key certificate does not vouch
the Phone" in the Special Topics volume for further details.
"Fingerprint key" command and the section "Verifying a Public Key Over
her key-and make sure you really are talking to the right person. See the
the key file to her to get her to confirm that the key you have really is
that key. Perhaps you could call the key's owner on the phone and read
should require your own independent firsthand knowledge of who owns
from trusted introducers should suffice. But to sign a key yourself, you
To be convinced of a key's validity enough to use it, certifying signatures
ownership than if you merely want to use that key to encrypt a message.
In order to sign a public key, you must be far more certain of that key's
from her.
belongs to her. Preferably, you should sign it only if you got it directly
public key unless you have independent firsthand knowledge that it really
your signature. It may be ill-advised to rely on hearsay-- don't sign her
Other people who trust you will accept her public key because it bears
certificate is a promise by you that this public key really belongs to her.
public key certificate. This is because your signature on her public key
certain that it really belongs to that person named in the user ID of that
If you are asked to sign someone else's public key certificate, make
'introducer' for that key to others by passing them the certificate.
you to attest its authenticity. You serve as the intermediate trusted
genuine. A file 'certificate' is created holding their public key signed by
Use this command to certify someone else's key in your keyring as
• Certify Key
Options menu.
suitable for email purposes, use the "ASCII Output" flag under the
If you want the extracted key represented in printable ASCII characters
they are copied off along with the key.
If the key has any certifying signatures attached to it on your key ring,
approach used to give a copy of your public key to someone else.
your public or secret key ring to the specified key file. This is the
ring. This non-destructively copies the key specified by the user ID from
Use this command to extract (copy) a key from your public or secret key
• Extract Key...
the Essential Topics volume.
Tampering" and "How Does PGP Keep Track of Which Keys are Valid?" in
For further details, see the sections "How to Protect Public Keys from
write-protected media.
automatically compare your public key against a backup copy on
your own ultimately-trusted public key, PGP can be set up to
important key to protect from tampering. To detect any tampering of
or indirectly certify all the other keys on your key ring, it is the most
Since your own trusted public key is used as a final authority to directly
key ring.
maintenance periodically to make sure nothing is wrong with your public
write-protected floppy disk. It may be a good idea to do this hygienic
checking your own ultimately-trusted key against a backup copy on a
checking the trust parameters, updating all the validity scores, and
analysis of your public key ring, checking all the certifying signatures,
you may want to explicitly force PGP to perform a comprehensive
material is added to or deleted from your public key ring. But perhaps
In theory, it keeps all the key validity status information up to date as
public key ring and updates all the trust parameters and validity scores.
Normally, PGP automatically checks any new keys or signatures on your
parameters and validity scores associated with keys are derived.
signatures of introducers attesting to authenticity, from which trust
key ring check command. Associated with the keys in a keyring are
To have MacPGP perform a full analysis of your public key ring, use the
• Check signatures...
"verbose" flag under the Options menu.
To see all the certifying signatures attached to each key, use the
want to specify a different key ring file name, you can.
you can specify "secring.pgp" if you want to list secret keys. If you
keyring file name is assumed to be "pubring.pgp". It can be omitted, or
omit the user ID, all of the keys in the key ring are listed. The optional
any keys in the key ring that match the specified user ID substring. If you
Use this command to view the contents of your public key ring. This lists
• View keyring...
already have on your key ring.
merges in any new certifying signatures for that key that you don't
added with the key. If the key is already on your key ring, PGP just
key being added has attached signatures certifying it, the signatures are
keys in the keyfile are added to the keyring, except for duplicates. If the
If the key is already on your key ring, PGP will not add it again. All of the
"Options" menu.
secret key. You may specify a different key ring file name under the
"secring.pgp", depending on whether the keyfile contains a public or a
The optional keyring file name defaults to "pubring.pgp" or
key file may contain multiple keys.
public or secret key ring (note that [brackets] denote an optional field). A
Use this command to add a public or secret key file's contents to your
• Add keys...
from the existence of a secure "revocation certificates".
in that people are being asked to make key modifications on faith and not
Also, whenever this happens, it weakens the security of the 'trust web'
pair, who have to communicate with you and replace it with your new one.
will cause inconvenience to everyone who holds that public key half of the
storage media or carelessness-make backups! If you lose your key you
Make sure you don't lose your unique public and private key pair to faulty
your own personal computer.
exposing it by storing it on a remote timesharing computer. Keep it on
pair. Always keep physical control of your secret key, and don't risk
make key pairs for your friends. Everyone should make their own key
Never give your secret key to anyone else. For the same reason, don't
protected with its own pass phrase.
your secret key ring. Each secret key on a key ring is individually
you keep your secret key file to yourself, and you should include it on
be sent to your friends for inclusion in their public key rings. Naturally,
key file suitable for distribution to your friends. The public key file can
new public key from your public key ring and place it in a separate public
You can later use the "Extract" command option to extract (copy) your
The generated key pair will be placed on your public and secret key rings.
lengthy process.
keystrokes with a fast timer. Note that RSA key generation is a VERY
random numbers generated from measuring the intervals between your
The public/secret key pair is derived from the RSA process and large
prompt.
phrase (You fool!), just press return (or enter) at the pass phrase
see it, and don't store it on your computer. If you don't want a pass
screen. Don't leave it written down anywhere where someone else can
and should not be too short or easy to guess. It is never displayed on the
every time you use your secret key. The pass phrase is case-sensitive,
to recover it if you do lose it. This pass phrase will be needed later
anything else you want in it. Don't lose this pass phrase-there's no way
be a whole phrase or sentence with many words, spaces, punctuation, or
this pass phrase. The pass phrase is like a password, except that it can
falls into the wrong hands. Nobody can use your secret key file without
PGP also asks for a "pass phrase" to protect your secret key in case it
unique information that would help ensure that your user ID is unique.
If you don't have an E-mail address, use your phone number or some other
Robert M. Smith <rms@xyzcorp.com>
your E-mail address in <angle brackets> after your name, like so:
Spaces and punctuation are allowed in the user ID. It would help if you put
other people using the wrong public key to encrypt messages to you.
use your full name as your user ID, because then there is less risk of
PGP also asks for a user ID, which means your name. It's a good idea to
the more security you get, but you pay a price in speed.
what size key you want, up to around a thousand bits. The bigger the key,
(casual grade, commercial grade, or military grade) and prompts you for
specified size. MacPGP shows you a menu of recommended key sizes
Use this command to generate your own unique public/secret key pair of a
• Generate key...
features.
of PGP and this Macintosh adaptation is its sophisticated key management
hardest part of cryptography. One of the principal distinguishing features
Since the time of Julius Caesar, key management has always been the
åThe Key Menu