PGP Pub Key signing for dummies
Hello boy’s and girls. My name is Brandon, and I’m a dummy.
First of all, this is not a tutorial on *how* to get started with PGP/GPG. There are tons of guides for that, I don’t need to create another.
What I do want to do is compile a flow of idea’s that I had trouble grasping after reading other peoples guides. So if you are getting started,
but were looking for a guide on the how, maybe read this and then move on…or move on, and come back if you get confused.
I’ve never really had a firm understanding on gpg/pgp key pairs and signing and encryption and all that good stuff.
I mean, obviously I knew that you have a public key from person X so you can encrypt it and they can decrypt it with their private key, and vice versa.
That is simple enough, easy to understand. I’m sure everyone gets that. What is slightly less straight forward (at least if you are a dummy like me)
is the idea of signing.
And I don’t just mean “I signed this email, so you know its from me.” I get that. I’m not going to go into that.
What I didn’t know about, and after hearing about it I didn’t really understand: THE WEB…OF…TRUST!!!!
For those not in the know, gpg/pgp (openPGP standard) does not intrinsically have a centralized management system. I can generate a key, but there is no way for
you to know that the key that random person on the internet claims is me, is actually from me. This is where the idea of signing comes in.
Let’s start with the basics, for the purpose of this little article I’m going to refer to GPG (gnuPrivacyGuard).
You have a key-ring. On that keyring you have your shiny private key, and your shiny public key. At first that key is only signed by YOU. It’s
basically just like holding out a piece of paper that say’s “My name is Bob, you can trust me, because my name is bob.” Obviously when “bob” signs
something, you will never be sure if bob is really bob, or if his name is actually Jason and he’s actually a rat faced liar. It’s the internet,
anyone could make a certificate that say’s their name is bob.
So what you can do, is export your key, doing something along the lines of:
gpg --armor --export firstname.lastname@example.org > bmgraves.asc
this exports an asci copy of
my public key into the file “bmgraves.asc” that can be handed about freely…Again though, this is just the “My name is bob.” version of the key. What can be done to
help this problem though, is key signing. If bob knows a guy named John, john can sign bob’s key and say “yeah, this guy’s name is bob, this is TOTALLY bob.”
And this is where I got a bit lost, because what happens next? Well, then john exports the key and gives it back signed, and bob imports it back into his keyring,
and BOOM the key-ring UPDATES and now when you export your key, it will have John’s signature on it… and as time goes on, you will have more signatures attesting
that you are you, and bob is bob. The long game theory of this is creating the web of trust, as linked above, but if you didn’t want to read about it…it works like this:
John knows bob
Bob knows Sally
Sally and John have never met, but need to now interact with each other
Well, sally sends an email to john and signs it. John takes the public key, and uses that to verify the signature,
the signature say’s “yup that’s sally” but how does john know that sally is really sally? Well, john looks at the key
he used to verify that sally is sally, and notes that that key has been signed by bob. John then say’s,
“Oh bob, that waskally wabbit, if he say’s he knows sally, I definitely trust him, this must actually be sally”,
and then sally does the same thing when she gets the email from john. That bob guy, he brings people together.