[TriLUG] Wanna have a key signing "party"? & Trilug's web of trust.

Mon Apr 8 18:41:10 EDT 2002

On Mon, 2002-04-08 at 18:05, Justin Johnson wrote:
> > Quick response here, I was thinking about having a non-meeting based
> > key-signing party,
> 
> Ok, I have to break down and ask, and thereby disclose my ignorance. What
> does the 'Key' thing do, and what does it do 'for me'. I read the thread a
> few months ago when Tanner and others planned the last key signing party,
> and didn't ask then. So I'm asking now. I've already planned to attend the
> meeting this month, figuring that would be a good way to find out what the
> thrill was, but if I need to do something before hand I want to go ahead and
> do so.
> 
> Kind of a "I don't know what it is, but I might want one!" type of
> situation. ;-)
> 
> Clue in the clueless,
> Justin

Hi Justin,

I guess most of us take this so much for granted that we have
just assumed everyone knew what a key was.  The short story,
is that an encryption key works very similar to a regular
physical key (i.e. car key, house key, etc..) in that it 
allows the locking mechanism (the deadbolt, etc..) to be
standard and the only dissimilar part is the key itself.

In a similar way, an encryption key allows the encryption
algorithm (i.e. RSA, Diffie-Hellman, etc.. but don't worry
if you don't recognize any of them) to be the same, and to
even be public.  Everyone has a different key, just like
a door key, and that means (theoretically) no one can
read what you've encrypted.

Now the situation is a bit more complicated than that
because with PGP/GPG what we're normally dealing with
is called public keys.  Public keys allow a part of the
key (the part used to encrypt) to be public.  Anyone
can have it.  The key here is that public keys
allow only encryption.  You can't decrypt with them.
In order to decrypt, you have to have the corresponding
private key (which, just as it sounds, you keep secret).
This has several advantages over algorithms where the
same key is used for both encryption and decryption, 
and I'll talk more about that this Thursday. :-)

As to why we're talking about "signing keys" that
has to do with something else: Authentication.
Encryption itself deals with Confedentiality, but
how do you know the encrypted message you received
is really from who you think?  The answer is
authentication.  Since public key algorithms
work forwards and backwards, you can encrypt 
something with your private key and send it out
with a message.  The person receiving the message
can then take your public key and use it to decrypt
that "signature".  Since, presumably, no one but
you has your private key, and things encrypted
with your private key can only be decrypted with
your public key, this can be used as a form of
encryption.  The key here, however, is to make
sure you know the public key is valid.

This is where we come to the key signing.  At
a key signing you verify that a given public key
actually belongs to someone.  Generally, you do
this by comparing the key type and it's
"fingerprint" (that is, a set of numbers that
uniquely identifies the key).  When you are satisfied
that the person and the key match, you "sign" the
key by encrypting it with your private key.
What does that do?  Well, it allows you to build
a "web of trust".  Suppose I get an encrypted message from
Bob.  I don't know Bob, but he got my public key
somewhere and sent me this message.  I use my
software to take a look at his key and I see
that his key has been signed by Alice.  Alice
knows Bob and vouches for him.  Since I know
Alice, and I have signed Alice's key, I can
follow the chain from my key to Alice's key to 
Bob's key and be fairly certain that Bob is Bob,
even though we've never met.  This is exactly
what John was visualizing with his pretty pictures. :-)

So, that's it in a nutshell.  If you're interested
in learning more, come to the meeting this Thursday.

Tanner Lovelace