-----BEGIN PGP SIGNED MESSAGE----- I got a message in response to a request I made to someone for their public key. I wanted to check the signatures that they included with their posts to cypherpunks, but their key was not on the keyservers. The key they included was completely unsigned, and when I use it to validate their previous posts as well as the message they sent which included the key, the signatures come back as bad, the contents of the file changed. Names are appropriately withheld (I hope). As I understand the bcc: definition, only I and the first smtp server this message hits should know who it's to. I don't know if anyone else reading this mailing list needs this info, but just in case... here's my reply to the message. At 10:03 PM 1/28/96 -0800, you wrote:
Sorry, I'm a newbie to Internet, and also the Internet usage of PGP. I just participated in a local keysigning meeting, so maybe my key will find its way to a server.
Don't worry about being a 'newbie'. Everyone starts somewhere. However, your key will usually not 'find its way' to a server without you specifically sending it. The keyserver I usually use is accessed by sending a mail message which fits the following format. As far as I know, all the keyservers use this format to add or update keys in their databases. You only have to send it to one keyserver, and it will propagate to all the others. I have indented the text so that no handlers decide to interpret it as a new message. - - To: pgp-public-keys@pgp.iastate.edu - - Subject: ADD - - - - -----BEGIN PGP PUBLIC KEY BLOCK----- - - Version: 2.6.2 - - - - [key deleted to protect the innocent] - - - - -----END PGP PUBLIC KEY BLOCK-----
I'm sorry to have to admit that I don't even know how to do this! Newbie alert!
If you don't admit you don't know something, nobody will usually tell you how to do it. Also, you should sign your own key. That will make it harder to forge, I think. The reasons were spelled out in a couple of the web pages I read, but I've forgotten them. It has something to do with either a denial of service attack or a man in the middle attack, or both. The command to do this is: pgp -ks 0xHEXKEYID Honestly, I've only just begun to use pgp myself. Also, you should add your e-mail address to the user-id of your key. The command to do so is: pgp -ke 0xHEXKEYID You will be asked if you wish to add a user id to the key. Say yes, and give it your e-mail address. What this does is it allows people who are using pgp-enabled mailers to directly encrypt messages to you without choosing your key manually. The reason that I have not encrypted this message to you using the key you provided is that when I extracted the key and re-checked your message, the signature was no good. I've found that (using eudora) I must turn off the word wrap feature of my mailer to allow for good signed messages out. Of course, having said this, I'll probably not get a good signature on this message. Let me know if it signs ok. Now, I have a question. Which attack(s) is/are a person vulnerable to when distributing an unsigned public key in the open? Could this actually be a complex man-in-the-middle attack? Am I paranoid? -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMQy/ds1+l8EKBK5FAQER8Af/SE1lTj3zcpm3ildFGO75zjZiJByZQi+3 LAkYgcHyBmtvhCTvyYCP2aMF4RjayrR3OHB85XthIA4sPmU0NDCVZYv7riSPjslp iBxUk92dO+BkP8nrTFgqCzR4qPqbOSmZxeovZI0PfQvbm99fG6Fc2kjhdKP7Aq+G cw4r0vvJY8JbqAuXftgZgndL9iGR/+xjfrpl+EWL3xtWzpIRfwMS5KMsR1UOf1ZA g9mlMEGLXy5KC/BwaupgTTwlSA/NOTv5mAY8+UWt9ydMWXBqNVt/yiGFsjg5UR1M CaT2D23pLAnWZ8M7yrjMamadkn2iLBqq4nhBNOGYHfZrGcbm/mhmxQ== =jGo3 -----END PGP SIGNATURE-----