Frequently Asked Questions

Versão em Português

1. What's the use of an OpenPGP key?

An OpenPGP key is used to authenticate what you're writing as coming from yourself. It's also used by people that what to encrypt something to you in a way that only you can read it.

2. What is the purpose of a Key Signing Party?

The original problem of authentication (Is you really you?) ends up transferred to your key (Is this key really his?). The key is much easier transmitted by electronic means than yourself, right? smile

The problem of assuring the key is yours is assigned to a virtual being known as Web of Trust. I might not know you, but I can be pretty sure that a given key really belongs to you because it was signed by Joe Doe who I personally know and trust that would not sign your key unless he'd met you, got it? It, at very least, creates a clear referral path: at any given moment I can ask Joe Doe about you, if you really exists, if Joe Doe has seem your identity documents before signing your key, etc.

The purpose of a Key Signing Party is to increase the Web of Trust. In other words, to increase the probability of an authentication based on trust (as I described above).

3. I still don't get it. Can you give me an example?

If you check my key's signature list it might become easier to understand. If you know any of those people that are listed as having signed my key (and you also know their keys), you can trus my key also, got it? This means two things:

  • if you have something secret, that is for my eyes only, you can encrypt it and send it to me using my key, since you trust it.

  • if I send you something signed by my key, you can also trust that it really came from me.

4. OK. Then where do I buy my OpenPGP key?

You don't need to buy an OpenPGP key. You need to generate one. Although OpenPGP keys works as certificates, only the last have to be bought (and thete are some Certification Authorities that issue them free of charge).

It's a trade-off. With the certificates, you trust the ones who've issued them. You trust no one will break into their computers and compromise the Certification Authority. With OpenPGP keys you replace the Certification Authority with the Web of Trust.

It's all a matter of what kind of trust you need... There are people that trust a Certification Authority more, that thinks a "safe-room" is inviolable (although the CA personnel get in and out everyday), that their computers are secure, etc. There are people that live better knowing they don't need to trust this, that they can use a Web of Trust with the same purpose.

Hm... this is a long subject. In the end we'll discuss Security through Obscurity...

5. But the server at keyserver.pgp.com signs my key. Does this guarantees my identity without the Web of Trust?

No. There are no identity guarantees. Even the Web of Trust just provides a system so an identity authentication can be made. The fact that the keyserver at keyserver.pgp.com signs your key with another key called "PGP Global Directory Verification Key" might actually just add to the confusion, inducing the unaware user to trust in a key signed by it. The maintainers of this keyserver warn that "there is always a risk that the verified key in the PGP Global Directory is not actually owned by the person who appears to own it. (...) The PGP Global Directory is not a replacement for the PGP Web of Trust".

6. The keyserver at ksp.softwarelivre.org reported a error code number XXX. What does it mean?

For the keyserver at ksp.softwarelivre.org the same error code numbering from HTTP servers is used. Refer to the keyserver error list to understand what a particular error code means.

7. Do I have to sign everybody's keys?

Generally, during a key signing party, no actual signing happens (just the exchange of keys and checking of id-cards). To sign the key after a party is your option. Do not assume your key will be signed just because you took part in a key signing party. People participating in the party have the most different goals and criteria and may believe the criteria adopted by a particular party is not up to their personal standards. No one is required to sign any one else's key, as well as no one can require any one else to sign one's key.

8. Can I bring an ID card taken when I was a child?

If you are still a child, that's ok :-). Now, if you no longer look like the person in the ID card, the chance you'll have your key signed drops drastically. It's like Jon 'Maddog' Hall has said once: "One thing that keeps me from signing a key is the dubiousness of the ID. Someone who shows me an Identity card taken when they are four years old, and now they are 23 and have long hair and a beard (or the opposite, they had long hair and a beard when the ID was taken and now have a shaven head and no beard) makes me dubious unless I have known them a long time.Good ID goes a long way to having a key actually signed.". No need to add do that.

9. I am not able to retrieve any key from ksp.softwarelivre.org. Is it down?

Actually, the keyserver at ksp.softwarelivre.org is "send-only". You must get the participant keys at Available Parties page.

-- PabloLorenzzoni - 05 Nov 2010

Topic revision: r6 - 16 Apr 2012 - 11:48:26 - PabloLorenzzoni

pt-br en

 
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Wiki-SL? Send feedback