httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: Fwd: 1.3.1 missing pgp signature
Date Tue, 28 Jul 1998 19:02:03 GMT
Dean Gaudet wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Mon, 27 Jul 1998, Ben Laurie wrote:
> 
> > OK, I can see that. If you really want to get PGP sorted out, I'd be
> > more than willing to help. I can't see that PGP 5 is a problem (yeah,
> > people with 2.x can't interoperate but they can upgrade like the rest of
> > us), though if you can be bothered generating a key with 2.x then
> > switching to 5 seems like the way to go these days.
> 
> I actually did generate my first key using 2.x, and then upgraded to 5.  I
> think my confusion can be summarized as:
> 
> I am not at all sure where or how to register my keys.  Consider that I
> will send apache email as dgaudet@apache.org, not @arctic.org ... and I
> believe this is an extra step in creating/registering the key.

Err, I don't think so. You just create the key, add the email addresses
and register it.

I register my keys at pgpkeys.mit.edu port 11371, but I use the Windoze
version to do it, so I can't help (instantly) with the Unix version.

>  Here are
> the keys I have right now:
> 
> % pgpk -l dgaudet
> Type Bits KeyID      Created    Expires    Algorithm       Use
> sec+ 1023 0x163751F5 1997-08-18 ---------- RSA             Sign & Encrypt
> uid  Dean Gaudet <dgaudet@arctic.org>
> uid  Dean Gaudet <dgaudet-djg20@arctic.org>
> uid  Dean Gaudet <dgaudet@apache.org>
> 
> sec+ 1024 0xF08E012A 1998-02-19 ---------- DSS             Sign & Encrypt
> sub  2048 0xD8F8125A 1998-02-19 ---------- Diffie-Hellman
> uid  Dean Gaudet <dgaudet@arctic.org>
> uid  Dean Gaudet <dgaudet-djg20@arctic.org>
> uid  Dean Gaudet <dgaudet@apache.org>
> 
> 0x163751F5 is the old key I generated with 2.6.x.  The other is a newer
> key.  I've put them into some servers, but I've no idea if I've put them
> into the servers people expect.

I believe they all talk to each other.

> My keys don't have any trust -- because I don't attend many conferences,
> and am totally confused about what I need to do to get other folks to sign
> my keys (whatever the terminology is).

To get someone to sign your key, send them your public key, persuade
them to sign it, and send you back the signed key, and then import what
they send back. Simple.

What people need to persuade them to sign varies from person to person.
In my case I must:

1. Know them.
2. Know that they have the email address I'm signing.
3. Verify the key fingerprint over a channel I can also check their
identity on (usually the phone).

This means I don't sign many keys!

> This is compounded by the fact
> that lots of folks still use 2.6.x and don't know how to tell me what the
> magic pgp 5.x invocations are for the various operations.

Yeah, the docco ain't great, but if you are really stuck, tell me the
operation and I'll figure out the magic.

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/

WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/

Mime
View raw message