{ 18 09 2006 01:09 }

PGP

PGP 17th October 2004)

PGP is a way that people can easily digitally sign stuff and use encryption.
Theres all kinds of information about it everywhere – i have a good book that talks about it which ill try and dig out. Anyway –
I wanted to download Apache and allthough ive been on the apache site loads of times and also the Jakarta site
and downloaded loads of stuff ive never been bothered to understand the signing business.

SO today i worked it out. YOu first need to install pgp which you can do from here – you simply download and install it then when it
asks for your license key, you just click on “later” and it will work in freeware mode. Unfortunately you cant sign emails from outlook in this mode and have to buy a license. But what you can do is verify signed files.

There are instructions for all this on the apache site, but they use command line stuff and im currently working on a Windows XP machine.
Anyway you download the PGP key along with the zip file you want (in my case apache installer) and then if you look at it in file explorer you get a nice
PGP icon where the key is – you can then rigth click and do “extract and verify” which automatically downloads the keys from the key server (these are the keys of the people who signed the file) and
then checks that the file was indeed signed by them – you can see this because it pops up a window to say so.

SO thats all good – the signatures and the binary match but unfortunately you cant guarantee that the dignatures are really from the people they say they are.
For this to happen you need some trust – you have to enter the circle (or web) of trust. TO do this you actually need to have obtained the fingerprint of the key from somewhere other than the net to be absolutely sure
you know its ok. This can involve a face to face meeting (highly unlikely in the apache world) or a phone conversation, depending on how paranoid you are.

Anyway i dont reckon im going to be able to do this easily so im going to wait until i meet someone else who has done it and get their key and then use that
to validate the others.
all sounds a bit complex eh? will try to write it up more decently.

By the way one of the points of this log is not to help other people, but for my own personal assitence so i dont forget stuff as im finding it out:) the more stuff there is to know the harder it is to know it all and lets face it there is far too much stuff to know.

Share

Posted by Jim Barritt on Monday, September 18th, 2006, at 13:31, and filed under security, web.

Follow any responses to this entry with the RSS 2.0 feed.