[ubuntu-uk] Code of conduct/GPG

Tony Arnold tony.arnold at manchester.ac.uk
Fri Sep 1 16:34:33 BST 2006


On Fri, 2006-09-01 at 15:55 +0100, Tez wrote:
> Steve Smith wrote:
> > I'm trying to get to the bottom of what GPG is and how it works.  I
> > can't find a description that covers the absolute basics of what it
> > is, would anyone care to explain to me?  Does it have anything to do
> > at all with the actual computer you create it on, or is it just
> > completely random?  How does it actually provide proof of
> > identification, etc in practise?
> >
> > Thanks :)
> > Steve
> >
> >   
> I'm no expert in gpg but, basically you create a key with your name and
> email to sign/encrypt data with, in order to let others verify that the
> key is yours you need to send it to a keyserver which others can check
> against. The keyservers update from each other so if you send you key to
> one (like "keyserver.ubuntu.com") then other servers will be updated
> with your key as well.

To clarify this, yu create a key pair. One is private which you keep to
yourself and secure and the other is public which you can publish
anywhere you like including keyservers as mentioned above.

When you send a document to someone else you can sign it using your
private key. The recipient can then check the signature using your
public key. The signing is such that if the document is altered in
transit, the signature is no longer valid.

If someone wants to send you a document that only you can read, then he
can encrypt it using your public key. Only the person with the
corresponding private key is able to decrypt such a document. The
encryption is very strong and impossible to crack with today's
technology.

The question then is, how does someone know the public key they have is
really yours? Well, the keys themselves can be signed by others who can
verify you are who you say you are. These signatures can be seen in a
public key, so the more there are, the more trust you can put in the
public key. If you really want to make sure you should contact the owner
of the key personally (by telephone or face to face) and confirm the key
ID with them. You can then sign their public key yourself or set it be
very trustworthy.

Hope this helps.

Regards,
Tony.
-- 
Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: tony.arnold at manchester.ac.uk, H: http://www.man.ac.uk/Tony.Arnold




More information about the ubuntu-uk mailing list