November 2010
1 post
5 tags
OpenPGP Bot on Twitter
For reasons I cannot entirely justify, I created a new Twitter account, @OpenPGPBot, that automatically retweets anything posted involving PGP, GnuPGP, or OpenPGP. Please follow if it’s your thing.
January 2010
2 posts
2 tags
Encrypting the FreeBSD root file system →
Systems are only as secure as you make them. Thankfully, FreeBSD offers an excellent
range of tools and mechanisms to insure that all your security needs are met.
Jacques Manukyan writes in the new issue of BSD Magazine. PDF download of the entire magazine available at the link.
4 tags
PGP Corp. on Key Management and the Cloud →
PGP Corporation’s Perspectives Blog offers some insight on how new cloud-based products can be secure and offer identity management (in a curiously unsigned post). The first generation of products we have seen centers on API keys, except for a few products which require you to submit your username and password for remote use. Both of these solutions are insecure for the same reasons.
...
December 2009
1 post
3 tags
Using GPG to Sign Git Tags
Lately, I’ve been working in Git for version control and one of the more interesting features is the ability to sign source code tags. Git is a distributed repository system and consequently, it is impossible to know if a given copy of the repository is official in any sense of the work. Cryptographic signatures alleviates this problem and Git uses GPG to do it.
First, is is necessary to...
November 2009
4 posts
4 tags
Publishing PGP Keys in DNS →
Dan Mahoney has written a new overview of publishing PGP keys via DNS:
Publishing PGP keys is a pain. There are many disjoint keyservers, three or four networks of which, which do (or don’t) share information with each other. Some are corporate, some are private. And it’s a crapshoot as to whose key is going to be on which, or worse, which will have the latest copy of a...
3 tags
Social Media and Identity Branding
This blog is about identity and social media touches on that. Small and medium sized enterprises (SME) are all over social media, and rightfully so. Social media provides SMEs the opportunity to level the advertising playing field and work directly with potential customers. And having a presence in multiple networks is equally critical, since the users are everywhere. Quite a few, I’ve noticed,...
2 tags
Personal and Profesional Identities on One Key
OpenPGP provides the ability to associate a key with multiple email addresses. This is handy if you are both john.doe@example.com and jd@example.com at work and adding both identities to your OpenPGP key is best because you cannot control what address outsiders use for you. But you might also have a personal email account at Gmail or Hotmail. Should you add this identity to the same key as your...
2 tags
Understanding Key Versions
Though not necessary for most modern users of PGP, understanding PGP key versions can enlighten other questions. There are two key versions which are relevant: PGP Version 3 (V3) and PGP Version 4 (V4). V4 keys were introduced by NAI’s PGP 5.0, which the OpenPGP standard is based on. The standard refers to V3 keys as “old format” and V4 keys as “new format.”
New...
October 2009
5 posts
6 tags
GSWoT's Single Assurance Model
In contrast to the multiple assurer model, there is a single assurance model. The most interesting of the single assurer models is the Gossamer Spider Web of Trust, or GSWoT, which calls its assurers introducers. Like CAcert and Thawte, GSWoT introducers are volunteers who perform assurances as a part of other activities. GSWoT introducers, however, do not earn points and are drawn from the ranks...
2 tags
Photos on PGP Keys
Earlier this week, I changed my profile picture on Twitter, Facebook, and other websites and decided the photo on my PGP key should match. This is a quick tutorial on PGP key photos.
PGP keys permit photos to be recorded on the key and are treated like other user ids, in that they can be signed by others. Image types are limited to JPEG. Generally, it is a set it and forget it process. So...
6 tags
The Multiple Assurer Model of CAcert and Thawte
Identity assurance systems are surprisingly interesting. Two, which work in basically the same way, are CAcert and the Thawte Web of Trust. In each system, a person can register for a free account through the web and is then required to obtain points from assurers. Assurers work as volunteers, though some may charge small fees for their work. Many assurers are certified to grant points within...
5 tags
The PGP Global Directory Verification Key
Below is a highly abbreviated output of gpg --list-sigs for my public key, 0xE6602099, specifically the output for user identity jh@jameshoward.us:
pub 4096R/E6602099 2009-08-30 uid James Patrick Howard, II <jh@jameshoward.us> sig 2 1 3C4A1809 2009-09-02 GSWoT - Gossamer Spider Web of Trust sig 3 1 6126D1F5 2009-08-30 James Patrick Howard, II sig P ...
3 tags
An Inaugural Post
This is a new blog dedicated to OpenPGP and related topics. OpenPGP, itself, is a standard for encrypting and signing digital data. Some of the related issues might include identity management, X.509, and even social media.
I started this because so much of the material surrounding OpenPGP is so poorly documented. While several books exist, they do not provide much insight into the nuances of...