PGP: looking for advice on settings

Trevor Smith pmmail@rpglink.com
Wed, 22 Mar 2000 19:52:20 -0400 (AST) 

On Wed, 22 Mar 2000 18:25:53 -0500, Andrew Webber wrote:

>I suppose it would be less work to exit PMMail when I leave my desk

Yes, it would. Or you could just use OS/2's 'lockup' feature to lock
your Desktop after a few minutes of inactivity.

>I just switched from cablemodem (smokin' fast) to ADSL/1-meg-modem
>(reasonably brisk).  But even at 33.6, even dialled into a local
>Compuserve node, or even dialled long distance mid-day from
>California to my ISP in Ottawa, I didn't consider that signature
>block to be a significant addition to the load.  This was when I
>used PMMail98 Standard Edition, i.e. until this morning. ;)

I agree with you. Someone else said (correctly) that some people will
complain about the extra bandwidth, and there probably is an argument
to be made for 'needless' info being sent but from an individual
standpoint, you'd have to have an awfully slow connection to worry
about the download.

>>The fingerprint is a "summary" of your public key (or 
>>something like that). If I have your fingerprint and your 
>>public key, I can confirm that the key is valid,
>
>Is there any easy way to compare them in PMMail?

No, not that I know of, but I rarely use the Windows version. Anyone?
PGP at a command line will show a list of keys you have, including
their fingerprints, probably most Windows PGP GUI clients will do the
same.

>Is it much of a security risk to put it on a public server?  I was

Not at all -- for your PUBLIC key.
But NEVER send your PRIVATE key to ANYONE!

The whole point of the private/public key system is to *ALWAYS* keep
your private key PRIVATE (NEVER give it out to anyone or put it
anywhere where it can be accessed by the public) but to give out your
PUBLIC key to as many people as want it.

This means you send only your PUBLIC key to a keyserver.

Having your PUBLIC key will only allow people to send you encrypted
messages or to confirm that your signature is valid, when they
receive signed messages from you. They will never be able to "hack"
anything with your PUBLIC key (unless they have access to many
supercomputers, work for the NSA or are some sort of
hyper-mathematical genius, the likes of which is unknown in the world
today).

Just in case I've been too vague above <g> let me repeat:

Guard your PRIVATE key at all costs!
Give your PUBLIC key to anyone you want to.

>thinking of an un-linked, un-titled page on my website.  Or just
>emailing it out on request.  How big is a public key, anyway?  (I

This is also sufficient for most people, probably. Usually only
people who know you will want to send you encrypted email, right?
Having your key on a keyserver is just a convenience.

My public key is 49 lines of text, 3002 bytes. My key is a 4096-bit
DSS/DH key.

Imagine a one-line email (less than 250 bytes) with a 3,000 byte key
added to it! Seems wasteful, doesn't it? Again, bandwidth isn't
really that dear, but it's the principle of the thing.

>Uh oh, something strange just happened while I was writing this.
>
>- I sent a signed but unencrypted email to a friend who I'm pretty
>sure doesn't have PGP support.
>- He replied, I assume including my PGP signature block as part of
>the quoted material.
>- His reply has a yellow key in my inbox.
>- When I open the email it says it was signed by me, at the same
>time as my earlier message to him!
>
>Is this normal?

:-) Yes, normal, but also confusing. I thought this was wrong when I
first saw it too but here's the scoop:

When you 'sign' a message, PGP adds 1):

-----BEGIN PGP SIGNED MESSAGE-----

2):

-----BEGIN PGP SIGNATURE-----

and 3):

-----END PGP SIGNATURE-----

to the message. Everything between 1) and 2) is what is guaranteed by
PGP to be the original text authenticated in the signature (the text
between 2) and 3) ). So, if someone includes your entire message,
including the -----BEGIN PGP SIGNED MESSAGE----- line, and the entire
signature, PMMail/PGP see that as a valid block.

>And what's the difference between a yellow key and a grey key?

Yellow key means it was signed or encrypted; grey key means it was
signed or encrypted *and* has an attachment (note that public keys
are considered attachments).


-- 
 Trevor Smith          |          trevor@haligonian.com
 PGP public key available at: www.haligonian.com/trevor

PGP Public Key Fingerprint= A68C C4EC C163 5C0A 6CFA  671F 05D4 0B30 318B AFD6