Looking for fun things you can do with a PGP/GnuPG key
Posted 28 Jan 2004 at 03:56 UTC by dyork 
When I was asked "What else can you do with a PGP/GnuPG key beyond the
normal signing/encrypting of files and e-mail messages?", I thought about
it and came up with a couple of ideas... but the question continued to nag
at me and I finally decided to do a 5-minute "lightning talk" at an upcoming
OCLUG meeting to talk about the topic.
I've come up with a list of ideas and would appreciate any other suggestions
that folks may have. PGP-encrypted IM, signing web pages... more... I am
especially interested in things that "regular users" (i.e. non-developers)
can do with PGP keys.
Here is a list of ideas for ways to use your OpenPGP/PGP/GnuPG key beyond
the normal signing/encrypting files and e-mail. Suggestions of other ideas
and/or feedback on these ideas would be definitely welcome. (Either left as
a comment to this article or sent via
e-mail.)
- PGP-encrypted Jabber IM- Have fully PGP-encrypted
instant messaging using a Jabber client such as
Psi or
gabber that support the
JEP-0027
spec for OpenPGP usage.
- Sign your packages - As described here, sign your rpms using
rpm --sign. (Can someone suggest how to do this for Debian
packages?)
- Sign your web pages - Provide a way that people can verify
the contents of your web pages.
This article and
this one give
ideas for how to do it.
- PGP-encrypted voice - Use PGPfone for encrypted voice (Has anyone tried this recently? It
looks like not much has happened with it since 1999?)
- Post to web sites - Some sites such as
LiveJournal will let you post items on the web site via PGP-encrypted e-mail (with a paid LJ account).
- Build it into your software - If you write software, there
are interfaces such as
GPGME,
py-gnupg or
GnuPG::Interface
that allow your program to interact with GnuPG and use keys.
Now for those folks who are interested in the whole Web of Trust and/or
statistics around the keys, there are certainly these options:
What other ways have folks found to use their OpenPGP/PGP/GnuPG key?
Feedback and suggestions are very welcome.
keystory, posted 28 Jan 2004 at 05:36 UTC by ftobin »
(Journeyer)
I haven't worked on it for a while, and the sample webpage is down at the moment, but keystory produces stats of how many times a person signed their message with key in a forum (e.g., mailing list). Since I consider the web of trust to be a fairly lost cause, I wrote keystory to give you an idea of how which key is associated with an email address just based upon past behaviour.
It is part of project at Italian University.
Most of their config files at /etc/* are signed. And application check the signature before it runs. The only secret key is resides on floppy disk and is kept away from system by sysadmin.
And let's not forget the gpg/pgp key search engine for finding that key to put into Wotsap and for those pretty graphs of the Web-of-Trust™.
Also, something I do regularly, is create signature files for the releases I make for pilot-link.
gpg -ba pilot-link-0.12.0.tar.gz
This produces 'pilot-link-0.12.0.tar.gz.asc', which can be verified by a user who downloads it with:
gpg --verify pilot-link-0.11.8.tar.gz.asc pilot-link-0.11.8.tar.gz
This can be done with any file or file attachment (perhaps a way to verify attachments prior to "double-clicking" them for those Windows users, given the recent worm exploits?).
There's a lot of other things you can do with gpg also, including using gpg to sign and verify mails, verify files, and confirm the message or file in-transit is unmodified from sender to recipient. Many people think that "encryption" is used to "hide" things, but its real use is in being able to "validate" things, including mail and files.
hacker: Good suggestion on a signature file for a release. Thanks.
There's a lot of other things you can do with gpg also, including using gpg to sign and verify mails, verify files, and confirm the message or file in-transit is unmodified from sender to recipient.
Yes, that's all what I think of as the "standard" stuff that you can do with gpg/pgp. That's the stuff people generally talk about and the reason why people typically get keys. That is all certainly important, but I'm looking for "non-standard" stuff for people who want to do more with their PGP key.
Many people think that "encryption" is used to "hide" things, but its real use is in being able to "validate" things, including mail and files.
Yep, I definitely agree. More useful uses are definitely things like ensuring the integrity of the transmission/file (nothing has been modified) and also non-repudiation (you did send/make that, even if you say you didn't - or at least, someone with your private key did!).
ftobin, Malx - thank you both for the suggestions as well.
Received this via e-mail:
--------------------------------------------
I saw your article on Advogato about other uses of GPG. The debian package maintenance system automatically by default signs packages with your key,
asking you for your passphrase as it puts the upload together. The
debsig-verify tool can be used to check these signatures.
There is also a tool called AutoDNS, which is a secure secondarying
system. An administrator can delegate control of DNS to particular PGP
keys, and the system with then accept changes by email signed with those
keys.
--------------------------------------------
Other ideas are still definitely welcome!
Re: Web of Trust, posted 30 Jan 2004 at 20:32 UTC by willy »
(Master)
ftobin wrote:
Since I consider the web of trust to be a fairly lost cause, I wrote keystory to give you an idea of how which key is associated with an email address just based upon past behaviour.
It's a shame you feel the web of trust is a lost cause. I think it's perhaps fairer to say it's not as successful as it could be. It is improving though. Jason Harris runs a keyanalysis every fortnight to monitor how well-connected the Web of Trust is. I take his results and do a little stock-market-esque index that shows how that changes over time. You can see that's getting tighter.
Thanks to conferences, the open source community is pretty well represented in the Web of Trust. I ran the keysigning at OLS 2003,
and by the end of it, everybody who participated was one of the best-trusted 1000 people in the WoT. I know the stats from LinuxTag and Debconf are equally impressive.
Things you can do to improve the Web of Trust:
- Organise or attend keysignings in your local area.
- Register your key at BigLumber so others can find you.
- Organise or attend keysignings at conferences you're travelling to.
Possibly the most useful thing is to do graphs of meaningful subgroups of the WoT. For example, a local user group, a geographic location, a project team or your company (ok, this one's a subset; too many hp employees have keys to be useful as a graph).
Graphs really motivate some people. Rankings really motivate other people. Personally, I like the game theory aspect of it all. But I'm just weird.
I have modified gnupg so it uses the TCPA chip on my ibm thinkpad x30 laptop. the chip is controlled from netbsd (it also works from linux) and it can create keys, cipher, decipher or sign stuff. the private part of the key is stored inside the tcpa chip. what makes it interesting is the key is stored in the chip and nowhere on the disk. you send data to the chip that enciphers and sputs out enciphered data, no temp data on disk nor in ram. i have a problem with the last bsd-tcpa code (no longer works so i went to a previous version). i have not published this code yet. the fact it is based on the tcpa chip makes me reluctant to do so because even if it is a nice use of the tcpa chip and its cipher capabilities (it uses rsa) the real motives that seem to lurk below what tcpa is annoys me.
While the package signature in the uploaded .dsc and .changes files are valid, the users usually don't see them. The signatures on the .dsc files are for the source package only, the signature in the .changes files are not put into the pool, they are more or less just used by the archive tools to verifiy that the uploading person is a valid Debian Developer and has its key in the Debian Keyring.
There are though two packages that embedd the signature into the .deb package itself: debsigs and dpkg-sig. According to the FAQ of the latter it seems to be the way to go; though the former is included in the stable release (woody) already.
Authentication, posted 14 Feb 2004 at 17:23 UTC by pasky »
(Journeyer)
We use GPG as part of our cheap authentication. We have central "agent" client connecting to various hosts (servers) and doing rather sensitive network-related things there. We did the authentication like:
server takes some random stuff, encrypts it by a public key and sends to client
client decrypts the stuff by its private key, sends back md5sum
server compares md5sum and if it matches, the client is authenticated and can do whatever it likes
This is IMO quite secure, makes sure that servers admins can't access each other's host (but only the central agent can), and it is incredibly cheap (you can do this in a shell script).
Digital Cash, posted 10 Mar 2004 at 02:44 UTC by andrewmuck »
(Journeyer)
Digital cash has been tried with many fancy and wonderful protocols yet has never had the success it deserves!
Using PGP/GPG would make it much simpler (and human readable)
I have started some work on pktp but need help by more able programmers (is in java).
Everyone seems to have this dream of digital cash, lets just forget squeezing it down to 4 bytes and do it instead in a nice open format.
cya, Andrew...
del.icio.us
Digg
Google bookmark
reddit
Simpy
StumbleUpon
Furl
Newsvine
Technorati
Tailrank