[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Here's how you put your key on the keyservers...

To: Ted Garrett <[email protected]>, [email protected]
Subject: Re: Here's how you put your key on the keyservers...
From: jim bell <[email protected]>
Date: Mon, 29 Jan 1996 14:54:43 -0800
Sender: [email protected]
-----BEGIN PGP SIGNED MESSAGE-----

At 07:39 AM 1/29/96 -0500, Ted Garrett wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>I got a message in response to a request I made to someone for their public
>key.  I wanted to check the signatures that they included with their posts
>to cypherpunks, but their key was not on the keyservers.  The key they
>included was completely unsigned, and when I use it to validate their
>previous posts as well as the message they sent which included the key, the
>signatures come back as bad, the contents of the file changed.  Names are
>appropriately withheld (I hope). 

At this point, I think it would be appropriate to declare that I am the 
person Ted was communicating with, and the one he is referring to and 
(correctly, as I recall my own posts) quoting.  I am, yes, a real newbie, 
and I appreciate the indirect lesson in "nettiquette" he is showing by not 
identifying my private email to him.  I'm identifying myself for a number of 
reasons:

1.  I REALLY am a newbie (at least to most of Internet, and common usage of 
PGP, etc.), and haven't learned much of the ways of Internet.  (with a 
strange, short, early exception, which I will relate in another message if 
anybody has any interest in Internet history.)

2.  I want to solve the problems Ted presumably correctly identified in my 
signing.  (I use freebie Eudora, and WPGP, etc.)  I only started signing my 
posts when I got a copy of WPGP by Gostl, and it made things much easier.


3.  I did not want to make it difficult for him to fight off a potential 
MITM attack while, at the same time, complying with "nettiquette", 
especially seeing as how my key is not (yet) in any keyserver, which is 
obviously MY fault, not his!  I want him to be able to point (and, repost, 
with my full permission) any messages allegedly from me that he receives by 
private email, so that others might check the signature too with their own 
software.

This  permission to him applies to any prior messages I've sent him, too, 
ideally so that anyone else can check the signature status against my sig.
Ted may 
be right; there may be a MITM attack.  More likely, it's a case of galloping 
NEWBIE-ITIS on my own part, sorry.


Earlier, when I just began using WPGP to sign Eudora stuff, I was told that 
my signature didn't match.  On the other hand, I was told by others that 
this is a common flaw of signing messages, having to do with line lengths.  
When I first started sending messages, I didn't use the "Wrap" selection of 
Eudora (under the EDIT selection), meaning that my lines were as long as the 
paragraphs were typed.
  
Most people didn't seem to notice, I guess, because it took somebody a few 
weeks to eventually complain.  After that, I RTFM'd and adopted the practice 
of WRAPping my paragraphs to limit their length to "reasonable" values.  
(although I would appreciate somebody explaining to me why this DAMN EUDORA 
can't seem to correctly re-wrap a paragraph after modification.  Hell, 
Wordstar Version 3.0 for CP/M (shows you how long _I've_ been into 
computers!) reformatted paragraphs just fine back in 1982 on a 12.5 MHz Z-80 
(ask me how I did this and I'll tell you a LONG story!)


3.  Ted began to suspect a "MITM attack."  While I'm a newbie, I'm well 
aware this is "man in the middle" and am aware of the potential (dangerous!)
implications.  Needless to say, I can't even say for certain that such an 
attack isn't happening.  Yes, I am on no keyservers, yet, but I will try my 
best to follow his kind instructions and accomplish this feat.  And yes, I 
am reminded that I need to sign my OWN public key, which (being a f______ 
newbie), I haven't even done yet!  (This message will contain, however, BOTH 
my 1024-bit and 2047 bit public keys, unsigned, and I will sign the whole 
message with my 1024-bit key.  I'd sign it with BOTH, but I don't know if 
WPGP will even do this.  I'd sign a second copy with the 2047-bit key, 
except that would be wasting bandwidth.


> As I understand the bcc: definition, only
>I and the first smtp server this message hits should know who it's to.  I
>don't know if anyone else reading this mailing list needs this info, but
>just in case... here's my reply to the message.
>
>At 10:03 PM 1/28/96 -0800, you wrote:
>>Sorry, I'm a newbie to Internet, and also the Internet usage of PGP.  I just
>>participated in a local keysigning meeting, so maybe my key will find its
>>way to a server.

I wrote that.

>Don't worry about being a 'newbie'.  Everyone starts somewhere.  However,
>your key will usually not 'find its way' to a server without you
>specifically sending it.

Thanks; I sorta assumed that, but until recently my usage of PGP was between 
me and my friends who knew me by face and voice, and who have my keys from 
hand-carried floppy disks that I gave them myself.

> The keyserver I usually use is accessed by sending
>a mail message which fits the following format.  As far as I know, all the
>keyservers use this format to add or update keys in their databases.  You
>only have to send it to one keyserver, and it will propagate to all the
>others.  I have indented the text so that no handlers decide to interpret it
>as a new message.

Okay, thanks for the details.  


>
>- - To: [email protected]
>- - Subject: ADD
>- -
>- - -----BEGIN PGP PUBLIC KEY BLOCK-----
>- - Version: 2.6.2
>- -
>- - [key deleted to protect the innocent]
>- -
>- - -----END PGP PUBLIC KEY BLOCK-----
>
>>I'm sorry to have to admit that I don't even know how to do this!  Newbie
>>alert!

Again, I wrote that.

>If you don't admit you don't know something, nobody will usually tell you
>how to do it.  Also, you should sign your own key.  That will make it harder
>to forge, I think.

Okay, up  until now I've generally given out my key in messages, and signed 
the entire message with the key.

> The reasons were spelled out in a couple of the web
>pages I read, but I've forgotten them.  It has something to do with either a
>denial of service attack or a man in the middle attack, or both.  The
>command to do this is:

Someday I'm gonna understand this stuff!

>
>pgp -ks 0xHEXKEYID
>
>Honestly, I've only just begun to use pgp myself.  Also, you should add your
>e-mail address to the user-id of your key.  The command to do so is: 
>
>pgp -ke 0xHEXKEYID
>

Again, much appreciated.  I hate to RTFM.  Lazy bum, I.


>You will be asked if you wish to add a user id to the key.  Say yes, and
>give it your e-mail address.  What this does is it allows people who are
>using pgp-enabled mailers to directly encrypt messages to you without
>choosing your key manually.
>
>The reason that I have not encrypted this message to you using the key you
>provided is that when I extracted the key and re-checked your message, the
>signature was no good.  I've found that (using eudora) I must turn off the
>word wrap feature of my mailer to allow for good signed messages out.  Of
>course, having said this, I'll probably not get a good signature on this
>message.  Let me know if it signs ok.

I didn't check the signature of his message, admittedly.  Guess I need to 
give him some feedback, huh?



>Now, I have a question.  Which attack(s) is/are a person vulnerable to when
>distributing an unsigned public key in the open?  Could this actually be a
>complex man-in-the-middle attack?  Am I paranoid?

Unfortunately, the more I learn about encryption, the more "paranoid" I get! 
 Of course, I have a few more reasons than most, but...

[I deleted Ted Garrett's signature.  My own will follow my own two public 
keys.]

My 1024-bit key.

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAi1zvWcAAAEEAKmSqngLWK2N2gOJKPtjF9VCfSkXY+XUZBRCbbFU71uH/dLX
C2Uq6wFS8alRgMc3rp90JnnJ/6eJqXwMjCunogwucWOaU7S/w+OwjOG9fUqsXIA6
2j25Wtjce65mbp0TKLAzwMb/P/Qq7BlclqhuKzfVBH7dIHnVAvqHVDBboB2dAAUR
tBFKYW1lcyBEYWx0b24gQmVsbA==
=G3LA
- -----END PGP PUBLIC KEY BLOCK-----


My 2047-bit key.

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQENAzDCFH4AAAEH/15sMvnnK1BIvLkxQsKwUHP7dKNFbKrQOtOoyLOFTk4/0Zlr
gXkKw6NciDYaOKwW9dsIL3N3rjAlWtioQ/gg+5vMNoJOQXpp95mKBzpWYLeaB8MF
Km6H/NGWISx5cz06NOGutWcaezO/S4xm8ay7W8HaZ4EmHQdXtSKIAL41PBQyyuhR
wIKX+QwsAgKS1LALr9MuW7nXL6/h139QeNRAR+ubXyftoklFHC+HF+jcTTDuNjmU
4p7BEMp9cmYHh6WEYTZyOz5F8/8gtEbPA0IKsQH1LGdf+2APLqMdciuU8ALZA+ZM
bbaBaxshqHbYfCQ8+ATCrBjsU0nO8RKjhSx91vkABRG0DUphbWVzIEQuIEJlbGw=
=uncA
- -----END PGP PUBLIC KEY BLOCK-----


James Dalton Bell.

Klaatu Burada Nikto

Something is going to happen....    Something...  Wonderful!
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMQ1PZ/qHVDBboB2dAQE+AAP+MP5hM2j1Z3z+7cdZ/U12qH/uu6Dq2NEP
LgKJ8Nm0idN7oiBZpYD2zuT22mhsIhCJzzmC3XIBiyX1AP4voDqrIwgLmvPgogcp
Cr9p75xi2/UqV1mrYIWeHG4KJc+/x5V4PxeYg5iz0jjnLKN1mzmnjPRDqAOaaBhK
08MMgOkqxFs=
=jU9M
-----END PGP SIGNATURE-----
Prev by Date: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards
Next by Date: Re: CONTEST: Name That Program!
Prev by thread: Here's how you put your key on the keyservers...
Next by thread: New Software
Index(es):
- Date
- Thread