[Nottingham] Encryption and signing - Summary

Jason Irwin jasonirwin73 at gmail.com
Wed Apr 11 11:04:43 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apologies for the delay in sending this, but the delay has allowed to
spot that the latest Distrowatch oggcast (451) has a reasonable audio
summary of signing/encryption as well.  Although they do refer to
"password" rather than "passphrase".
RSS: http://distrowatch.com/news/podcast.xml
Direct: http://distrowatch.com/podcast/dww20120409.ogg

An excellent talk given by Martin on the who, what, when, where, how and
why of signing/encryption.  Well received by the group that was there
and I for one think we should organise a more formal session on setting
up the tools, keys and doing a key signing session.

This would take a bit of organising (possibly involving other groups).
If there was enough notice, would anyone be interested?  Has anyone ever
run a key-signing party before and could offer advice?

A quick summary of what the talk covered...

What signing and encryption is:
1) Signing - An attempt to prove that the message/file came from the
person is claims to come from
2) Encryption - An attempt to ensure that only the intended recipient(s)
can read the data.

How this works at a basic level:
1) Public key - used in signing and for encrypting other people's
messages.  The "lock" of the system.
2) Private key - used to decrypt.  They "key" of the system.
3) Passphrase - used with the private key to ensure the user is actually
the user

The four different types of signing.
1) Traditional.  Text-only, degrades gracefully, but results in
"scrambled egg" at the bottom of an email (like this one, note that
gmail may screw it up).
2) S/MIME.  Uses attachments, no "scrambled egg", can sign attachments,
makes Outlook Express (spit) cry.
3) PGP/MIME.  Not supported by much.  Well, OK,  not supported by Outlook.
3) X509 (or something like that).  So complicated people gave up on it.

http://www.phildev.net/pgp/pgp_clear_vs_mime.html
http://www.phildev.net/pgp/pgp-111705.pdf

Then the different tools:
1) GPG Privacy Assistant, Engimail, PinEntry etc for the F/OSS lovers
amongst us.
2) For Outlook there are a few plug-ins (e.g. GPG4Win, but not for
Outlook 2010)
3) There are also GPG add-ons for whatever the heck it is a Mac uses
(Sorry to be vague, I don't have the links to hand)

The main thing I took away from it was that the "web" of trust can be
more reliable than the "chain" of trust we see with HTTPS certs etc as
there is not a single point of failure (recent news stories should be
lesson enough) and that trust the key is not the same as trusting the
person; it's just an indication of how certain one is that that key is
that person.  A small, but important distinction in my book.

Martin-by-Proxy (Jason)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPhWU6AAoJENB/hsnQxZKx0TwH/1uH/hKTVpVNCcecP0dOeTxp
cH59I2LP+v2LGWz78Ii04llGcA17CwcV6hTO+mHBh1HnAi+J2n7x6Bst0hs8+trq
HiOz0P0xvQk83rNGVZUUN+gPLgRhEn15zmbwdkA5tJqU3aYozEIbOkROSdN1H1MH
suwZK4mUP3/ZWN4tydPACTOKHk762KSXI5usMVtjwsPYzn5xRmRqVh5aVQ7UrxGk
sUCF9SmdNEgl2UZJk8AezRQOOVGEpC7+D+GdDFJNljxn4aje1/vhFnZ71pha3Vm7
bZjUrnGNO33zln34dkAL1SODA1y4JnbeA0UMlRXy/xuCtqsk1hw+csSzPP89yCI=
=mQI9
-----END PGP SIGNATURE-----

More information about the Nottingham mailing list