Kuro5hin: Gnu Privacy Guard tutorial, part 1May 02, 2000, 06:56 (0 Talkback[s])
(Other stories by Inoshiro)
[ Thanks to rusty for this link. ]
"This article will be a tutorial overview of using Gnu Privacy Guard to generate your own public keys. It will also discuss some of the principles of public key systems."
"Gnu Privacy Guard is a publicly available implementation of the RFC2440 ("OpenPGP") standard. It is covered by the Gnu Public Licence, and developed mainly in Germany, a country known for its non-Orwellian encryption stance."
"Public key cryptography, as discussed in previous articles, minimizes some of the problems with symmetrical encryption. However, you still need to verify the trust of the keys you accept. There are two solutions to this problem that have been implemented."
"The first are central key servers, run by third parties. They allow people to register their keys, revoke their keys, and find other people's keys from an index. Two such keyservers are pgp.net and keyserver.net. pgp.net is an older service, mainly PGP v5 related, whereas keyserver.net is a newer OpenPGP key server."
"The other solution to trust is signing of keys by a third party. Let's say that two people, Bob and Trent, trust each other, and have exchanged keys directly (perhaps via floppy disk). Alice, an associate that Trent met through the internet. She meets Bob for the first time on #kuro5hin. Bob doesn't know her, but Trent trusts her. Trent signs Alice's key, after she mails him a copy of it on a floppy. Bob accepts the key signed by Trent through the internet, because he can verify its signature against the copy he exchanged securely. Because of this, Bob, Alice, and Trent can soon build a web of trust. The only problem is, of course, the weakest link in the chain. If Bob signs a key he didn't otherwise verify, problems can occur."