[ Thanks to rusty
for this link. ]
“This article will be a tutorial overview of using Gnu
Privacy Guard to generate your own public keys. It will also
discuss some of the principles of public key systems.“
“Gnu Privacy Guard is a publicly available implementation of the
RFC2440 (“OpenPGP”) standard. It is covered by the Gnu Public
Licence, and developed mainly in Germany, a country known for its
non-Orwellian encryption stance.”
“Public key cryptography, as discussed in previous articles,
minimizes some of the problems with symmetrical encryption.
However, you still need to verify the trust of the keys you accept.
There are two solutions to this problem that have been
implemented.”
“The first are central key servers, run by third parties. They
allow people to register their keys, revoke their keys, and find
other people’s keys from an index. Two such keyservers are pgp.net
and keyserver.net. pgp.net is an older service, mainly PGP v5
related, whereas keyserver.net is a newer OpenPGP key server.”
“The other solution to trust is signing of keys by a third
party. Let’s say that two people, Bob and Trent, trust each other,
and have exchanged keys directly (perhaps via floppy disk). Alice,
an associate that Trent met through the internet. She meets Bob for
the first time on #kuro5hin. Bob doesn’t know her, but Trent trusts
her. Trent signs Alice’s key, after she mails him a copy of it on a
floppy. Bob accepts the key signed by Trent through the internet,
because he can verify its signature against the copy he exchanged
securely. Because of this, Bob, Alice, and Trent can soon build a
web of trust. The only problem is, of course, the weakest link in
the chain. If Bob signs a key he didn’t otherwise verify, problems
can occur.”