GPG (GNU Privacy Guard) is a free implementation of PGP (Pretty Good Privacy). PGP is an encryption system used primarily for email. Tomorrow at the meeting we'll have a chance to sign each others' PGP keys, so I'd like to quickly mention why you want a PGP key, how to make one, and what to bring tomorrow. Signing your key lets other people to validate that it's yours. Check out http://uug.byu.edu/web_of_trust/ where you can see how other UUG members have signed each others' keys.
************************************
- Why use PGP?
Email is incredibly insecure. It's unbelievably insecure. If you send
an email from wireless on-campus, anybody around can read your entire
message. Any sysadmin between you and the destination can read your
message. Usually it's really not that big a deal, but the rule of thumb
is to never send a message if you would care if it were accidentally
CC'd to uug-list.
Even if nobody reads your mail, it's incredibly easy to send fake
messages. It's almost as easy to send a fake message as to send a
normal email message. If you aren't paying really close attention, it's
easy to get tricked (I admit I've been tricked before).
There are three major reasons to use PGP:
1) People can tell if a message is genuinely from you and not tampered
with. Every message sent by a PGP user (including the message you are
reading) is accompanied by a signature which ensures that the message
was sent by the claimed sender and that the message has not been
modified. It's great for the peace of mind, and besides, many spam
filters take PGP signatures into account.
2) You can send encrypted messages to other people. You should _never_
email a password unless the email is encrypted. With a properly
configured PGP system, you hit a key or click a button, and the message
is encrypted to the sender. Whether a message is sensitive, or you just
don't want everyone in the Wilkinson Center reading your private email,
encryption is a good idea.
3) Other people can encrypt messages to you. Even if you don't care
about security, others may be sensitive to privacy and security issues.
Please be courteous to them and provide a means for them to encrypt
their correspondence to you if they feel it is necessary. Be a good
citizen.
************************************
- How to use/setup GPG
There is tons of detailed information on the internet. Don't be scared
to use it. I will be very brief here. Go to gnupg.org for information
and do a Google search for your mail client. Install GPG (and maybe a
graphical frontend for it).
If you don't have a .gnupg directory in your home directory, do "mkdir
.gnupg; chmod 700 .gnupg". Then create a file ".gnupg/gpg.conf". In
this file, add a line that says "keyserver x-hkp://pgp.mit.edu" and
another line that says "keyserver-options auto-key-retrieve". This lets
you communicate with the rest of the world.
Now you're ready to create and upload your key. Here's the procedure.
Run "gpg --gen-key". Answer the questions the following way.
What kind of key you want: 1 (DSA and ElGamal)
What keysize do you want? 2048 (highest suggested keysize; I did
4096)
Key is valid for? 4y (4 years; you don't want it sitting
around forever, especially if you end up having a problem with it, but
you don't want it expiring right away either)
Real name: Firstname Lastname (enter your firstname and lastname)
Email address: [EMAIL PROTECTED] (enter your email
address)
Comment: (leave this blank)
Change? o (okay)
Passphrase: ********** (enter a password; make it good)
Now it's going to generate random bytes. It needs you to do things in
another window so it can get randomness. Don't worry, it should only
take about one or two minutes.
It will then print out information about your key:
pub 1024D/C094EEEB 2004-12-02 Joe Schmoe <[EMAIL PROTECTED]>
Key fingerprint = 89A4 195D 42FF 9CDB 5457 CF76 2056 7DC0 C094 EEEB
sub 2048g/81F0C7CA 2004-12-02 [expires: 2008-12-01]
In this example, the Xey is c094eeeb and the fingerprint is 89A4 195D
42FF 9CDB 5457 CF76 2056 7DC0 C094 EEEB (this is hex--numbers from 0 to
9 and letters from A to F). Write these down. Put them in your wallet
or something.
Finally, and this is very important: run "gpg --send-keys" to upload
your key to the keyserver. This lets other people download your key.
************************************
- What to bring to the meeting
Bring:
1) An ID (drivers license, etc.). People are going to be signing your
key.
2) Your Key ID or email address. These allow people to identify your
key.
3) Your PGP Key Fingerprint. No one can sign your key if they don't
have this. Make sure to bring it.
************************************
- Conclusion
Creating and using a PGP key is really simple, and there are some real
benefits. Bring your info to the meeting and we can all sign each
others' keys. Don't forget to put your fingerprint in your UUG member
profile so you show up in the Web of Trust.
--
Andrew McNabb
http://www.mcnabbs.org/andrew/
PGP Fingerprint: 8A17 B57C 6879 1863 DE55 8012 AB4D 6098 8826 6868
pgpUUCh2wAdvs.pgp
Description: PGP signature
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/
