Lost Newbie

brian moore bem at cmc.net
Sat Sep 26 20:07:28 CEST 1998 

On Sat, Sep 26, 1998 at 08:35:05PM -0500, Richard Lynch wrote:
> At 8:36 AM 9/25/98, Kirk Fort wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Alright, Ill do my best to try to explain some stuff to you.
> 
> I'm doing my best to understand it all, but it ain't enough.

PK crypto is cool though. :)

> >To generate a secret/public keypair, run gpg --gen-key
> 
> My elation at having a menu was dashed by my inability to understand which
> choice was best for my particular application.

When in doubt, take the default.  1 will do.

> I guessed 3), since I don't think I need the stuff to be signed.  I'm
> sending an online order to be run through a credit card machine at my
> client's real-life store.  I suppose somebody could try to prank somebody
> else by ordering coffee or CDs for them, but since there's no profit in it
> to the forger, I'm currently not worried about it.  Y'all will probably
> rain on my parade real soon in this matter, though.  :-)

Well, it won't hurt, but 1 is better.  You will want to sign things...
the first thing you'll want to sign is your key.  (Don't trust a key
that even the owner isn't willing to sign.)

> Then I put in my client's name, e-mail, and a comment.  Whoo Hooo.  I seem
> to have generated a key and a secret key.  Damned if I know what the
> difference is or how to use them, though.

But look here:

> >Data that is encrypted with a public key can only be decrypted by the
> >matching secret key.  The secret key is protected by a password, the
> >public key is not.
> >
> >So to send your friend a message, you would encrypt your message with his
> >public key, and he would only be able to decrypt it by having the secret
> >key and putting in the password to use his secret key.
> 
> Sounds good.  'Cept I'm unclear on the difference between a password and a
> secret key...  Why does he need both?  Not a big deal:  I just don't get
> it.

The password is only part of the secret key.  The real secret key is a
combination of the password and the one on the 'secring.gpg'.  This, in
effect, lets you have far more secure passwords than just a dozen or two
characters.

> I got as far as trying to ASCII encrypt a file, and then I got this:
> 
> [chatmus at ruby gpg]$ ./gpg -vae  /home/c/h/chatmus/test.txt
> gpg: this is a PGP generated ElGamal key which is NOT secure for signatures!
> gpg: key 812E70CE, uid 2640: invalid self-signature: Unknown pubkey algorithm
> gpg: key 812E70CE, uid 2640: invalid user id - removed
> gpg: key 812E70CE: no user ids - rejected
> gpg: key 812E70CE: can't put it into the trustdb

It doesn't like your key since it can't be signed..... since you don't
have a secure way to sign it.

Go back and generate a sign/encrypt key.  They are useful.  (And you
never know when you may need to sign things: if I can get the Internic
to take my GPG key, I'll switch to PGP checking on all our stuff, which
will make me feel better at night...)

> gpg: Ooops: Ohhhh jeeee ... (pkclist.c:538:select_algo_from_prefs)
> secmem usage: 1472/1472 bytes in 3/3 blocks of pool 1472/16384

Well, that looks like a bug. :)
> 
> Why do I get the idea that I've found a bug, or I'm just doing something
> that nobody who knew what they were doing would try?  :-)
> 
> What's with the "insecure memory"?  Can I make it secure?  Or should I not
> worry?  Or what?

Set gpg to be setuid root and you can.  (This keeps other processes from
snooping your memory to steal your data while it's there: it's not
absolutely critical, but paranoia is a good thing.)

I gather you're not root on this machine, so it may not be possible, but
I wouldn't stay up late worrying about it.

> And how come it doesn't know who owns the key?
> Is it because:
> A)  I need to specify the client's name (or some other id)
> B)  I didn't pick one of the "sign and encrypt" options.

B)

> PS  Is somebody working on an "Introduction" yet?
> It ain't much, but I reckon I could try to start one.

Actually, that would be really useful.  The more people know how to use
and recognize a signature, the better.

-- 
Brian Moore                         | "The Zen nature of a spammer resembles
      Sysadmin, C/Perl Hacker       |  a cockroach, except that the cockroach
      Usenet Vandal                 |  is higher up on the evolutionary chain."
      Netscum, Bane of Elves.                   Peter Olson, Delphi Postmaster

More information about the Gnupg-devel mailing list