[ale] Commentary about PGP / GPG key generation...

Jeremy T. Bouse jeremy.bouse at undergrid.net
Tue Nov 29 21:37:24 EST 2011 

	Very good commentary... A few things I might add from my own experience...

	* Make sure if you have multiple UIDs for pseudonyms that at least one
of them have the real name on the ID you intend to provide. I personally
won't sign a key if there isn't a UID that matches the ID presented.

	* Make sure the email address you use for your UID is correct and
doesn't block or do challenge/response. I mention this as I use an
additional measure of sending the signed key back encrypted to the
sender rather than uploading my signature back to the keyserver. This is
to ensure possession of both the private key and the email address.

	* Be sure you've published your key to a keyserver. When I go to sign a
key I pull it from the keyserver into a temporary keyring before
signing. This ensures the key doesn't get into my actual public keyring
until after it's signed and been sent to the keyserver by the keyholder.
If a key doesn't exist on a keyserver than I don't end up pulling it
down and my routines won't sign the key.

On 11/29/2011 02:25 PM, Michael H. Warfield wrote:
> Hello all!
> 
> I see a number of people have generated brand new GPG keys for the up
> and coming ALE Keysigning party.  Great!
> 
> Couple of comments (pun intended).
> 
> * When creating your keys, you do not need to add a comment.
> 
> * If you do add a comment, it becomes a permanent and visible part of
> that uid, so you might want to make it meaningful in a permanent sort of
> way.
> 
> * If you delete a uid, you lose all the signatures on that uid.
> 
> * Once a uid has appeared on the public keyservers, it's virtually
> impossible to get rid of it due to the nature of the keyserver "flooding
> algorithm" and uids as well as signatures are cumulative.  Literally, if
> you have ever sent your key to a keyserver with a uid that you later
> delete, that deletion has no effect on the keyserver and the uid will be
> later re-added to your local keyring if you ever receive signature
> updates back from the keyservers (gpg --refresh or gpg --recv-keys) or
> reimport the public key from someone who signed your key containing that
> uid.  Even if you managed to get a uid deleted from a keyserver, the
> other keyservers would rapidly flood that uid back.  Your only real
> option is to revoke that uid and leave it in place (my old Compuserv uid
> on my df1dd471 key is such an example).
> 
> * If you're happy with the comment you have in your uid for your key,
> that's cool.  If you think you MIGHT want to change it, I would suggest
> doing it well before the keysigning party.  Once it's on the keyservers
> (outside of our ring on BigLumber) it's there.
> 
> If you decided you wish to change it, you have to edit the key like
> this:
> 
> gpg --edit-key {your keyid}
> 
> It will display a list of keys and uids.
> 
> Add a uid with "adduid" and fill in your name, E-Mail, and comment (if
> any) just like you did when you generated the key to begin with.  When
> you accept that change, it will ask you for the password to your private
> key.
> 
> Now the list will show the new uid.
> 
> To get rid of the old one, you have to select it by number like this:
> 
> uid 1
> 
> The list will show uid "1" with a splat (*) beside it.  The deluid
> command then deletes all the marked uids (you have to have at least one
> left standing).
> 
> Finally, BEFORE trying to upload the modified key to BigLumber, contact
> me FIRST and I will delete the key and you can then re-upload it.
> 
> Regards,
> Mike
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list