[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Edlug Archive Jan 2004 ]

Re: [edlug] Anyone going tonight who can provide help with GPG and SSH keys ?



db2it <teamdba@xxx.xxx.xxx> writes:

> OK, I'll be there with my passport : not US paranoia compatible, but
> good enough for the rest of the world !!!
>
> My fingerprints are permanently attached <G>.  But I'll need help
> setting up an electronic one (I assume that is what you mean).

axa@xxx.xxx.xxxzeus ~ > gpg --fingerprint andrew@xxx.xxx.xxx
pub  1024D/015B8928 2003-10-15 Andrew Aylett <andrew@xxx.xxx.xxx>
     Key fingerprint = 9286 E78D A094 C4A2 50EC  E2FD 2A49 CA50 015B 8928
sub  1024g/99271963 2003-10-15
 
You will need to bring at least one copy of the key fingerprint (the 40
digit string), probably better to bring several as it'll be easier to
give people a copy you've printed out than for them to copy the
fingerprint by hand.

Of course, if you're going to generate the key while you're there, then
people can just read it off the screen.  That's not recommended though
-- conventional (paranoid) wisdom is that it's not a good idea.

In <http://www.cryptnet.net/fdp/crypto/gpg-party.html> V. Alex Brennen writes:
> You should not bring a computer to the party because binary
> replacement or system modifications are very easy ways to compromise
> PGP systems.
> 
> If someone where to bring a portable computer and everyone used that
> computer to sign the other keys at the party, no one would know if the
> machine had been running a key stroke logging utility, a modified
> version of GPG,a modified version of the Linux kernel, or a specially
> modified keyboard, any of which could be used to capture the secret
> keys of those who used the computer.
> 
> The use of a computer at the party would also leave you open to more
> simple attacks like shoulder-surfing, or more complex attacks like
> weak secret key generation, secret key modification, or even infection
> with virii that modify your GPG binaries to leak future secret keys
> discretely.

If you're going to be paranoid enough to want to store your key on a USB
dongle, you're probably paranoid enough to not generate it in a public
place...  It might be better to find out how then to do it at home, get
folks to sign the key next month.  That's probably approaching an
impractical level of paranoia, however.

Unfortunately, I'm not going to be around tonight, otherwise I'd sign
your key and get you to sign mine... I could do with some signatures
:-).

OK,
-- 
Andrew Aylett | www.aylett.co.uk | 1.79 x 10^12 furlongs per fortnight...
andrew@xxx.xxx.xxx | answer==42 |  -- it's not just a good idea, it's the law!

Attachment: pgp00007.pgp
Description: PGP signature



This archive is kept by wibble@morpheux.org.DONTSPAMME
homepage