signing documents and others

Faramir at
Sat Sep 27 08:30:05 CEST 2008

Hash: SHA256

Lawrence Chin escribió:

> After being too busy, I'm back with questions and questions....

  It seems there is a lot people busy, I have seen little traffic in the
last 2 days... So I will dare to try to answer some of your questions...
but remember I am not an expert, and my answers are "as far as I know"
or "if I understood it right...". If someone else reply something
different, probably that is the good answer (and mine is the wrong one)...

> I'm using writer. I don't know how many of you are
> familiar with it. My first question is:

  I know it... but I am still learning how to use it.

> (1) I notice that openoffice writer allows you to digitally sign the
> document created. But I already noticed that I can sign and encrypt any
> document I have created with GPGEE's context menu. Are the two really
> the same thing?

  No, are 2 different kind of signatures. As far as I know, there are 2
"families" of certificates/signatures. One is x.509 certificates, used
for SSL (to use https "secure" connections), these certificates allow to
sign files and encrypt data. Usually, they are issued by a CA (see for details).
Basically, there is an organization that has its own private key, and it
uses it to sign certificate request from people (or organizations). They
must verify the identity of the people requesting the certificate,
before issuing the certificates.

  If they have a good policy about how to verify these identities, and
they manage their key in a secure way (to avoid it being stolen), they
can make browser manufacturers to consider them trust worth, and they
will include their "root certificate" in the browser's list of "trusted
CA's". So, basically, if I sign a message with my certificate issued by
Thawte, your browser or email client will see my signature, it will see
it was signed by Thawte, and it will check if Thawte is in its "trusted"
list. And it will trust I am who I say I am, because it trusts Thawte.
  It is something like asking: "Dady, can I go to play with that man?
Yes, son, you can, because I know him, and I think he is not a bad guy".

  That is the kind of certificates OpenOffice needs to sign files.
Thawte issues free certificates for email encryption (and surprisingly,
they can sign files too, I just tried with mine, and it worked). The
only thing Thawte knows about me, is my email address, any other info I
gave them can be false, they didn't verified it (and for that reason,
they didn't include my name in my certificate, because they are not sure
if I told them the true). If I use their mechanisms to be verified, then
I could ask them to give me a certificate with my name on it.

  GnuPG works in a different way, and with a different kind of
certificates. There is no "daddy" saying whou you can trust, you must
verify the identity of the people by yourself. But if you trust one of
your contacts is who he claims to be, and if you trust he really cares
about other people identity before signing their keys, then you can
trust that people using keys signed by your contact, are also who they
claim to be. This is like asking your friends if you can trust somebody.
If they know him, and they trust him, you can say "the friends of my
friends are my friends too" and trust him... or you can say "my friend,
I know you very well, and I trust you, but I know you trust other people
too easily... so don't be offended, but I need more info before deciding
I can trust your friend".

  This is a very simplified explanation about how does this work, there
are a lot more things to know, but I think it is enough to notice the
difference between the 2 systems.

  Both kind of certificates follow a different standard, and they are
not compatible, so an OpenPGP key can't be installed to be used directly
with OpenOffice.

   But GnuPG can sign files, so you can write the document, save it, and
sign it using GnuPG. OpenOffice won't detect the signature, but you can
check it externally (using GnuPG) and be sure the file has not been

> (2) In the "help" file of, it says:
> "When you receive a signed document, and the software reports that the
> signature is valid, this does not mean that you can be absolutely sure
> that the document is the same [as] that [which] the sender has sent.

  I am not sure if that is true... The signature should be able to prove
the file was sent by the guy that holds that certificate... the problem
is to know if that sender is who he is claiming to be... If you don't
trust the CA that issued the certificate used to sign the file, you
can't trust the signature.

> Example: Think about someone [who] wants to camouflage his identity to
> be a sender from your bank. He can easily get a certificate using a
> false name, then send you any signed e-mail pretending he is working for
> your bank. You will get that e-mail, and the e-mail or the document
> within has the "valid signed" icon. Do not trust the icon. Inspect and

  Well, I can ask a free domain and a free host, and make an email
account like bankmanager at and get a certificate issued to
that account, and the messages signed by that certificate will show a
good signature, since the signature is not broken... but if you take a
look at the signature, you should notice you real bank domain doesn't
end with "", but with ".com", so you would know I am trying to
impersonate your bank manager... and that is the reason why the help
file ask you to read the certificate details, and to don't trust the
signature just because it is not broken.

  With GnuPG it would be harder to fake an identity, since the only
trusted signatures, are the signatures made with keys you, or the people
you trust to check identities, have signed. You would say "hey, nice
signature... but I don't know you, so go to scam someone else".

> used. You must ensure that the files that are in use within your system
> are really the original files that were supplied by the original
> developers. For malevolent intruders, there are numerous ways to replace
> original files with other files that they supply."

   Yes, sure... with so little system files in windows, it should be
easy to check then one by one to be sure they are not fake... since I
just have 5260 files in my system32 folder, supposing I need just 20
seconds to check them, it would take just 29,2 hours, without stopping
even to go to the bathroom... Sure, I can run an antivirus, but there is
no warranty it would discover the fake files...

> I have very little idea even til now as to what exactly certificate

  They do almost the same thing the GnuPG public key does, and since
your own certificates include the private key, they do, for you, almost
the same thing than your own GnuPG keys do. But they do it in a
different way.

> does. I suppose I get a certificate with CaCert to validate my identity
> and then get them to sign my keys? But what's the "Windows system of

  They would sign your certificate request (your x.509 compliant public
key). They also have OpenPGP keys, but I am not sure what do you need to
do to make them sign your GPG keys.

> validating a signature"? (I use Vista and IE) On the "Certificates"

  I don't really know, I didn't even know how to make OpenOffice to use
my certificate to sign files... until I started replying this message,
and I checked the help file you talk about. Now I have already signed my
first document :D

> windows in the "internet options" in my IE 7 browser, I saw that there
> are a lot of certificates of big companies listed in "trusted root
> certificate authorities" and "intermediate certification authorities",

  That is the list of valid companies that are supposed to verify
carefully people's identity before signing their certificates. CAcert is
not included by default in that list... and it is harder to get a
certificate capable of signing files from them than from Thawte, which
is included by default in most browsers...

> but none in "other people" and "personal". I suppose if I can get a
> x.509 through CaCert, then I would put that x.509 in "personal"? Is that
> right?

  That is right, but you also need to import CAcert root and
intermediate certificates, because they are not pre loaded in windows,
or in firefox, or in opera... They are trying to be included in the main
browsers, but it takes time, effort, and money... and since CAcert is

> I got more questions.
> (3) To tell you guys the truth, I don't even know where my private keys
> and my key ring are stored in my computer. Do you guys know the possible
> file names and path?

  secring.gpg, pubring.gpg and trustdb.gpg. But I don't know where are
they located in your computer... I installed GnuPG with default options,
and it placed them in a different place than they where supposed to be
(according to some replies about the subject I have seen).

> (4) And -- I know this question must have been asked 100 times already
> here, but I want to ask instead of spending the next 3 hours doing
> research -- how exactly to save my private keys onto like a USB drive or
> a CD?

  I don't really know that one... you can export your key (for backup
purposes), or you can just copy the whole keyrings into the USB drive or
CD... if you want to do the second option, search for the files
secring.gpg, pubring.gpg and trustdb.gpg and copy them to a safe place.
If you want to back up just your keys, use Enigmail's Key Manager (and
create the revocation certificates too... BUT NEVER IMPORT THEM (the
revocation certificate) unless you really need to do it... there is no
confirmation, as far as I remember... and if you make a mistake and
import it, DONT UPLOAD IT to the keyserver, or your key will be revoked
and there is no way to un-revoke it. If you have a back up of your key,
delete the revoked key from your keyring, and import the backup. If you
don't have a backup... ask for help here, maybe somebody knows how to
"un-revoke" it in your keyring... but once you upload a revoked key to a
keyserver, the key is revoked and nothing will change that (unless the
server explode before being able to propagate the key).

> (5) How to add an additional UID to my kurt c key on the keyserver? I
> want to add my real name to it.

  You need to add an UID to your key, and then upload your public key
again... for details about how to do it, RTFM... (just joking), to tell
you the true, I don't remember how to do it, but I bet I can get the
answer in 3 minutes.

  Ok, it should be as this:

c:\>  pgp --edit-key AE235FTZ0 (your key's number)
c:\>  adduid
     and fill the fields gpg will show you. To save the changes, you
need to enter the command 'save', if you just enter 'quit' the changes
won't be saved.

    I think maybe you would like to set the new UID as primary UID for
the key... but maybe it would be done automatically, since it would be
the most recent (the last added). If it is not done... this is just a
'guess', I have not tried it... but I think you would need to:

c:\>  pgp --edit-key AE235FTZ0 (your key's number)
c:\>  uid n (instead of n, put the number of the UID you want to be the
primary one)
c:\> primary

  Don't forget to 'save' (without the '' signs) before quit...

> Thanks for helping out an idiot here.

  Nobody was born knowing things (other than how to cry, how to drink
milk, and how to... well, that is a body function...). I have asked
almost exactly the same questions (and I hope I could recall the answers
correctly), about 3 months ago... and I am still learning the basic stuff...

  Best Regards
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


More information about the Gnupg-users mailing list