|
|
| Previous | Table of Contents | Next |
Occasionally an extra key will be added to a key ring, or keys will have unverifiable signatures on them. Although these data on the key ring cannot cause any problems, it is sometimes useful to remove extraneous keys and signatures to reduce the size of data sent to others.
Fortunately, PGP lets you remove keys and signatures from keys in a key ring. The key management function -kr removes a key; the function -krs enables you to remove the signatures on a key. PGP will first ask if you want to proceed to make sure you really want to remove the data. At times, PGP will walk you through to the appropriate key to find the exact data you want to remove.
When you remove a key, specify the userid of the key you want to remove. For example, two keys exist for Jeffrey I. Schiller on the key ring and Ruth wants only the most recent key. She wants to remove his second key. Unfortunately, both keys have the same name, so she needs to specify the key ID of the key to remove:
~> pgp -kr 0x4D0C4EE1 Pretty Good Privacy(tm) 2.6.2 - Public-key encryption for the masses. (c) 1990-1994 Philip Zimmermann, Phil’s Pretty Good Software. 11 Oct 94 Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Distributed by the Massachusetts Institute of Technology. Export of this software may be restricted by the U.S. government. Current time: 1995/11/21 23:08 GMT Removing from key ring: ‘/tmp/pubring.pgp’, userid “0x4D0C4EE1”. Key for user ID: Jeffrey I. Schiller <jis@mit.edu> 512-bit key, Key ID 4D0C4EE1, created 1992/09/10 Are you sure you want this key removed (y/N)? yes Key removed from key ring.
When you remove a signature, specify the userid of the key that incorporates the signature. For each signature on that key, PGP will ask whether it should be removed. When Ruth removed Jeffrey’s key, some unknown signatures were left on the key ring. She now needs to remove the extraneous signatures on the keys. For example, an extra signature exists on the key for Derek Atkins; Ruth needs to remove this extra signature:
~> pgp -krs warlord Pretty Good Privacy(tm) 2.6.2 - Public-key encryption for the masses. (c) 1990-1994 Philip Zimmermann, Phil’s Pretty Good Software. 11 Oct 94 Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Distributed by the Massachusetts Institute of Technology. Export of this software may be restricted by the U.S. government. Current time: 1995/11/21 23:13 GMT Removing signatures from userid ‘warlord’ in key ring ‘/tmp/pubring.pgp’ Key for user ID: Derek Atkins <warlord@MIT.EDU> 709-bit key, Key ID C1B06AF1, created 1992/09/25 Key has 4 signature(s): sig D0C6326D Ruth Thomas <tara@mail.Free.NET> Remove this signature (y/N)? <Enter> sig 0DBF906D Jeffrey I. Schiller <jis@mit.edu> Remove this signature (y/N)? no sig 4D0C4EE1 (Unknown signator, can’t be checked) Remove this signature (y/N)? yes sig C7A966DD Philip R. Zimmermann <prz@acm.org> Remove this signature (y/N)? <Enter> 1 key signature(s) removed.
When you remove signatures from a key, PGP will ask you whether each signature, in turn, should be removed. The default answer is no; press Enter to move to the next signature.
The most important part of the key verification process is knowing whether the person or entity behind the userid actually has the secret key of this keypair. This is an important concept, and should not be taken lightly. It is not important that the name on the key be the actual name of the person who uses the key; what is important is that the person using the key can be reached using the name on the key, and has the secret part of the key.
The best way to know whether a key is correct is to watch it being created. This remedy, however, isn’t that realistic. The next best way to verify a key and its owner is to have the key owner give you the key in person, on a floppy disk. This process requires that you know the person, can meet him or her in person, or can match the key to the individual by name. These methods are called in-band key verification, in which you get the key and verification information at the same time using the same key distribution methods.
PGP provides another way to verify a key out of band. You can use any key distribution method to obtain the key, such as by downloading it from an untrusted keyserver, and then verify the key using the trusted information. This way you can obtain key verification out of band, either through a phone call, a letter, or some other means of communicating with the other party, regardless of what key distribution method is used.
Sometimes a key is validated inappropriately. Either a key was changed in transit, or a user was fooled by social engineering to validate a key. Social engineering is where an attacker uses social means, such as posing as someone else, in order to gain the desired results. In such cases, the falsely validated key can wreak havoc among users who trust the signer’s fooled owner. Unfortunately, there is no automatic means to verify the verification.
The most secure way to get this information is when the userid on a key matches the real name of a person. It is possible for that person to supply documents verifying his identity, and then provide a means to verify the key he is presenting as his own. The way to verify a key is through the key fingerprint.
A key fingerprint is a cryptographic hash of the key parameters of a public key, printed in a form that is easy to write down, copy, or speak. To obtain a key fingerprint, PGP is called with the -kvc option.
~> pgp -kvc warlord
Pretty Good Privacy(tm) 2.6.2 - Public-key encryption for the masses.
(c) 1990-1994 Philip Zimmermann, Phil’s Pretty Good Software. 11 Oct 94
Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
Distributed by the Massachusetts Institute of Technology.
Export of this software may be restricted by the U.S. government.
Current time: 1995/11/21 23:26 GMT
Key ring: ‘/tmp/pubring.pgp’, looking for user ID “warlord”.
Type bits/keyID Date User ID
pub 709/C1B06AF1 1992/09/25 Derek Atkins <warlord@MIT.EDU>
Key fingerprint = A0 9A 7E 2F 97 31 63 83 C8 7B 9C 8E DE 0E 8D F9
1 matching key found.
| Previous | Table of Contents | Next |