[ubuntu-uk] Code of conduct/GPG

Paul Sladen ubuntu at paul.sladen.org
Fri Sep 1 16:37:08 BST 2006

On Fri, 1 Sep 2006, Steve Smith wrote:

Hello Steve,

> I'm trying to get to the bottom of what GPG is and how it works.

'gpg' is a program called "GNU Privacy Guard", which can be installed using
Add/Remove programs or by and command-line:

  sudo apt-get install gnupg

GPG uses encryption and fingerprints.  These are a bit like the Hot Wax seal
used on ancient letters;  the wax seal performed two main uses:

  1. A proof that the author was who they said they were.
  2. Ensuring that the contents had not been tampered with.

These proofs are much the same as we want in modern-day transactions;  when
you, or I, sign a document (the Ubuntu code-of-conduct) we need to know that
it was us, (and not anyway else /pretending/ to be us) that penned the

GPG helps us with this signing process---everyone has their own 'key' (like
their own wax-seal), and use of the 'key' is protected by a passphrase for
even more security so that other people can't "borrow" the 'key'.

A similar system is, a chip-and-pin credit card.  The chip in a card
internally contains a long-number (a key), protected by a pin-number. The
pin must be entered first and sent to the chip on the card, once the chip
has verified the pin, the main 'key' will be released.

So, to be able to sign something you need:

  1.  The document.
  2.  Your key, unique to your and stored on your hard-drive.
  3.  Your passphrase, secret and only known by you.

These three can be combined to produce a signed-document;  but you, ask, how
do you know that the signature comes _from_ you.  A bank normally checks
your signature, by comparing it to the copy they have on record, taken from
when you opened the account.

We have the same method of checking against a copy on 'record', but rely on
the trust of our friends to make the problem smaller.  So, I might know you
directly.  But if that's not possible, a friend of a friend of a friend who
knows you and confirms that you 'key' is associated with your face/name then
then I'm likely to trust the signation on that basis.

What we do is to check goverment-issued photo ID against your face, and then
the name against the name on your key;  and then 'sign' your key to so that
the association is true and correct.  This is perhaps similar to a doctor or
notary signing your passport photos before you apply for a new one.

  a.  Face -> Photo mapping (in Passport/Drivers' license)
  b.  Name -> key mapping (frequently with an email address)
  c.  Friend of a Friend, of a friend -> trust path

Again this is all done with 'keys' and "hot wax seals" so that the signature
of somebody else doing the confirmation cannot be faked.  There is some
information on the web at:


Hopefully that's enough to get your started, if you ask another question
I'll try to answer those aswell.

High on a tall bridge, surrounded by noisy lorries.  Nottingham, GB

More information about the ubuntu-uk mailing list