GPG: Encryption and digital signature for the masses Part II

Disclaimer: This is a very serious topic. The observations made here are for a starter. Kindly refer to the man pages and other text books which specialize in guiding for advanced and high stake uses. I am not responsible for any unwanted results by following the notes below. Understand the seriousness of the job on hand and read enough.

 So what is stopping you from creating a key with 

name: Joe biden
email: president@america.gov

Nothing. But you are not going to go a long way with this. The thing is, gpg is not your answer to everything. It is just a tool to sign documents and encrypt the documents. The authenticity of the person sending you the document is still to be checked by going out in the open or from other trusted sources on the public network.

Trust and untrust a key

We have already learnt how to trust your friends public key and record that trust in your keyring. Let us now assume that you want to share the public key of your friend with another of your friends. Now, you extract public key of your friend from your public keyring and save it in an armored format file. Now, if you open the file created for viewing, you can observe that the file also contains your public key also!! How did it land there. It landed there when you "trusted" your friends key. You can forward this file to your another friend who wants the public key of your first friend. The presence of your public key in the file is like you are confirming that the person whose key it belongs is someone you know. This is all good. This is how a "web of trust" is built up. However, this is a two edged sword. When you share the file in question to your second friend. You are also hinting to your second friend that you are "communicating" with that person. This is something that privacy purists will oppose. So, choose wisely. If possible remove your public key from the file your created to share with your second friend.

Let us assume we signed a public key signed@dd.com

Now, we have arrived at some information doubting the key above. So, we have to remove the "trust" we endowed on the above key. Let us remove our signature on the above key

gpg --edit-key signed@dd.com

on the gpg prompt

revsig

go though the queries and revoke the signature.

end the prompt by typing

save

at the prompt

Now, your signature is not on the public key signed@dd.com
If the original public key signed by you is on any key servers, now is the time to push the updated key without your signature on it.

PGP/GPG/OpenPGP

When we talk about asymmetric encryption we come across three abbreviations PGP, OpenPGP and GnuPG(GPG)

PGP is a commercial offering. OpenPGP is an open standard which anybody can implement in code. One such OpenPGP implementation in actual code is GnuPG(GPG). GPG is "free as in freedom" software and is the one to be used by the general public. GPG is licensed under copyleft GNU GPL. So any commercial usage in a tinned product should ensure that the GPL is complied with. For the general public, it is as easy as using GNU/Linux operating systems.

Safeguarding your keys

The key pairs have different exposure levels. The public key has to be made as much "public" as possible and the private key should be kept as private as possible. The "privateness" for your revocation certificate is the same as the private key. Ensure the safe upkeep of these two keys. Guard it upto your life and just below it.

Print your private key and your revocation certificate on good quality paper, store it on storage device, store it on a cdrom and lock it up in a bank safe locker. That is the amount of care you should take care of these two aspects of GPG. If you want to take it with you, ensure that they are encrypted on your storage device and better if the entire device is having file system which is completely encrypted. So, you get two levels of encryption.

Information in your keys

The next thing is the creation of your key pairs. Should you use your "real" name as in "your" name? Should you use your "real" email id? Should the keys expire? If so, what is the optimum expiry age? Should we enter any comment?
These questions have subjective answers. As per the answers for the questions on the public network, the most answers ask users to provide their "real" information. 

This helps in getting you into the "web of trust" which is like the phone book of GPG users. I would suggest, again, a suggestion only, that you should use your real information to bring credibility to your public key. So, yes use your "real" name, "real" email id and also a comment which would make you stand out if your name is more generic. As for the expiry of keys, it is recommended by many experts that you should be expiring your keys at "regular" intervals. Doing so have many advantages. Easy revocation since after the expiry it is of no use to anybody. Keeps your public key ahead of technical obsolescence. 

Dont forget that you can add an image to the created key. This can be your real photograph or any image left for you imagination. Just be careful about whatever decision you take.

More on keys

The last 08 digits of the fingerprint is also called the keyid.
The email id and the name information will be the userid or the UID.

When you want to specify a specific key on the gpg command line, you can use the UID or the keyid.

If you use

gpg --list-keys friend@friendship.com    or
gpg --list-keys A2E43218 ( If using the keyid of the key )

it does not print the fingerprint.

To print the fingerprint of a key

gpg --fingerprint friend@friendship.com

A public key could have been signed previously by other gpg users. On import of a new public key, you can check out all the signatures on the public key by

gpg --list-sigs friend@friendship.com

Keyservers

If you are using keyservers then

1. If you signed a friend's public key after downloading from the keyserver, then you can update the friend's public key with a copy of which you signed.

gpg --send-keys friend.friendship.com --keyserver subkeys.pgp.net(Enter the address of your key server here)

2. To receive a key from the keyserver

gpg --recv-keys friend.friendship.com(Here as usual, you can use the keyid)

3. Keep your keyring updated with any updates to the keys which you have downloaded from the keyserver. There would be changes to the public keys you downloaded a long ago from the keyserver, in terms of UIDs, email ids, the number of signatures on a particular public key

gpg --refresh-keys --keyserver subkeys.pgp.net

Privacy & Anonymity

Though, gpg keeps the information you want to share as private, it does not make you anonymous. But it can "help" you if you are serious on anonymity and you belong to the press. When you send encrypted information through regular public network channels like email, it is still possible to know who has sent the encrypted information, without knowing what is in the encrypted information. 

The public key is advertised publicly. It is trivial to find out the owner of a public key. If you dont want to share the public key with others, then how do you send personalized and encrypted information? One possible way is to encrypt your public key with the public key of the specific recipient. Send that encrypted key to the recipient, who in turn can get your public key by decrypting with his private key. The Tor network can be used for sending gpg encrypted information including the gpg encrypted public key.