-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jul 21, 2003 at 11:08:53PM -0700, Jeff Wiegley, Ph.D. wrote: > 1st: A problem with this list is its huge signal to noise ratio. > If you don't have an answer to give jokes are less than helpful.
Looking at lists.debian.org, I see this is a list for debian users, not topic specific, nor are there gaurantees that you won't get your leg pulled if you ask a silly/obvious question. 8:o) Seems like a better solution to this feature instead of bitching about it is to steer users towards asking better questions. http://www.catb.org/~esr/faqs/smart-questions.html Or for the ones who absolutely refuse to put forth any effort whatsoever on their part, just expect us to send them the Magic Answer: http://www.debian.org/consultants/ > basically you have two keys A and B. If you encrypt with > key A you need to know only key B to decrypt it. GPG, RSA, PGP > take this a bit further they also support the fact that if > you encrypt with B you can decrypt the message with A. > (not all asymmetric systems do B->A) We'll assume A is private and B is the public key. Not quite. In the above example, the first scenario (encrypting with private, decrypting with public key) is highly improbable (though the odds get better with the more computing power and time you have, consider a supercomputer and several (dozen?) years), AFAIK, otherwise why not just use symettrical keys? > (we > could have called either one private it wouldn't matter.) Nobody, > and I mean nobody, else should ever know the private key other than > the owner (i.e. you). But *everybody* can/should/may be > allowed to have complete knowledge of the "public" key. x-hkp://pgp.mit.edu/ and other Keyservers are your friend. > Now if they want to send you a message that only you can > read they encrypt the message with your public key knowing > that only you possess the private key necessary to decrypt > the message and other people who also know the public key > still can't decrypt it because the public key won't decrypt > that which was encrypted using the public key. (If you want > to send encrypted messages to them you need to know *their* > public key and encrypt with that. (that part is a bit > unintuitive to security beginners who are use to using the > same set of secrets to both send and receiver messages.) Basically, what's going on here is you're standing in a public hallway. You want to give something to your friend. It's valuable/personal, and you're not comfortable leaving it taped to the door for everybody/anybody to see/steal. So you slip it under the door into his private apartment. If you've got a public key for someone, you're standing in the hallway outside their apartment. Encrypt it with their public key and send off the encrypted message and you've slid it under the door. It's fairly safe to assume, however, that unlike at Initech, your coworkers are extremely unlikely to go off on a grand-theft-stapler- induced rage, break into the recipient's office and use your message to burn the building down.[1] > But now you can also digitally sign messages. You simply encrypt > the message with your private key. people know your public key > and only the public key will decrypt the message is if it was > encrypted with your private key. AND *only* you know the private > key. Therefor if the public key successfully decrypts the message > then it must have been you that wrote it. Actually, to sign a message, you don't need to encrypt it. Though in an encrypted message, it's good to also sign it so the recipient knows for sure who the sender is (though you can not sign it to remain anonymous, though the practicality of this is limited). > This is glossing over a lot of the problems associated with > two sticky points: > 1) how do you reliably distribute your public key? Keyservers, ascii-armored in your .pgpkey file (if you run fingerd or equiv) and on your website tend to be the big three ways of doing it. > These are why Veri$ign charges $75 per year to maintain > certificates on their distribution system. Not that Verisign is trustworthy. This is a contributing factor as to why S/MIME email is extremely rare. > keysize of 1024 is ok, but some recent work in the area of > number theory indicates that somebody with about 10 billion > dollars can create a specialized computer capable of cracking > such keys in a not-unreasonable period of time. Well, theory and practice are two different things. When the FBI seized Kevin Mitnick's machines, there were some PGP encrypted files. Mitnick refused to cough up the password. For the five years or so the FBI had his hardware, they couldn't crack his files. I know at least before the government accountants started saying on CNN that war could easily drive the US to bankruptcy before Bush is out of office that they probably had some decent hardware at their disposal.[2] > last tip... "evolution" is apretty good graphical mail user > agent and it has good support built in for signing and > encrypting mail using GPG/PGP kmail also has a pretty nice GUI for doing the same. mutt has seamless GPG/PGP support, though mutt is also somewhat hostile to newbies and extremely hostile to Windows convertees[3]. [1] Office Space reference. [2] I really wish CIC would grant me a visa already so I can get the heck out of this madhouse before California completely destroys the American west. [3] Am I the only person who thinks Windows convertees are artificially harder to teach unix than totally green never-used-a-computer-before people? - -- .''`. Paul Johnson <[EMAIL PROTECTED]> : :' : proud Debian admin and user `. `'` `- Debian - when you have better things to do than fix a system -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/H7p/J5vLSqVpK2kRAgJkAKCnyZk9scctWytea4Rl2x4tWYPW7QCfTyN0 MuNK2VPGZxtiihnEDx+CNzw= =paJq -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
