Help with OpenPGP plugin in Mozilla Thunderbird and Claws Mail

Mark H. Wood mwood at IUPUI.Edu
Wed Feb 16 15:54:39 CET 2011


I'm going to stick my non-expert neck out, because this seems to need
more than a brief answer.

On Tue, Feb 15, 2011 at 05:38:47AM -0800, AgoristTeen1994 wrote:
> 
> Okay thanks for the help though I'm still somewhat confused...I understand
> that they key id is the entire keypair, but then how do  I found out what is

No; the key ID *names* your keypair.  The public and private keys are
much larger objects.  The ID is related to them but doesn't contain
them.  The ID is used to identify particular pairs.

> just my public key, and just my secret key, the reason I"m asking is that if
> I want to give my public key to someone, then I apparently give the entire
> keyid since that has my secret key too..or am I wrong on that and I can give
> them the entire keyid? Thanks again and have a nice day.

Ultimately, someone who wants to verify signatures from you or send
privacy-protected messages *to* you using GnuPG will need a copy of
your public key.  You can deliver the public key itself, or you can
publish your public key on a keyserver and give correspondents your
key ID, which is usually enough to identify your public key, and they
can use the ID to fetch a copy of the key from the server.

The advantage of sharing the ID is that it is short enough to just type
into an email or write by hand in a letter, while the keys themselves
are a few *hundred* characters long.  I could easily learn my key ID,
but the key itself (7122 characters!) is far beyond my power to
recall.

The advantage of delivering key copies directly is that you control
the distribution of your public key (assuming you can trust your
correspondents to honor your wishes).  A published key can be fetched,
signed, and resubmitted by *anyone*.  Some people have reason to desire
control over who signs their keys.  Their reasons have been discussed
on this list.  Keys can be exported to removable storage or attached
to a message.

The way I would proceed:

1.  Get a list of your secret keys and locate the one you want to work
    with.  You probably only have one so far, so this is pretty
    simple.

2.  Note the key ID.  It's an 8-character hexadecimal number.

3.  Locate the public key with the same ID.  That's the public key you
    are trying to distribute.

4a. If you intend to give copies of your public key to your
    correspondents, export that key to a file.  If you are offered the
    option of producing an "armored" key file, you probably want that
    -- the resulting file is all printable characters and travels well
    through email.  Unarmored files are binary and can be damaged by
    some methods of transmission, but have their uses too.

4b. If you intend to publish your public key to a keyserver, this is
    the key to publish.  Tell your correspondents the ID to fetch.  Or
    just start signing messages on the assumption that their message
    agents offer options to fetch and verify keys from keyservers.

Specifically how you do all that depends on which tool you are using.

The following use commandline tools because that's what I use.  If you
are using a GUI tool then it should offer similar operations.

You can get a list of your secret keys using "gpg
--list-secret-keys".  You'll see something like:

  /home/foobar/.gnupg/secring.gpg
  -------------------------------
  sec   1024D/12345678 1858-11-01
  uid                  A. User (an optional comment) <auser at example.com>
  ssb   1024g/87654321 1858-11-01

The middle column of the "sec" line is the size, type, and ID of the
key.  The ID is the part after the slash.  You can double-check this
by then using "gpg --list-public-keys 12345678" (or whatever your key
ID is).  You should see a similar display except that it says "pub"
instead of "sec".

You probably have only one secret key so far, so figuring out which ID
to use is pretty easy.  If you ever have more than one, use the "uid"
lines to figure out which is which.

Now that you have your key ID, you can send your public key to a
keyserver if that is how you want to work.  "gpg --send-keys 12345678
--keyserver keybucket.example.com" will publish the key with id 12345678
to the server keybucket.example.com.  To fetch someone else's key, use
--recv-keys and the other person's ID instead of --send-keys and your
ID.

There are a number of public keyservers.  Their merits have been
discussed on this list.

If you'd rather deliver copies of your public key individually, you
can get it using "gpg --armor --export 12345678 > public-key.asc".
The new file public-key.asc will then contain an "ASCII-armored" copy
of your public key suitable for importation into someone else's
OpenPGP implementation.  You may be as open or secretive as you wish
with this file, as it doesn't contain your private key.

GnuPG has *many* other functions and options.  GUI tools in front of
it are similarly endowed.  You should look them over so that you know
what's available to you.  You don't have to understand every single
one of them right away, though you *do* need to thoroughly understand
the ones you use.

Just the use of personal cryptography is a large and complex topic.
I recommend you do some further reading before relying on your
understanding (or mine!) for the protection of sensitive matter.  It's
easy to do things that only make you *think* you are secure.

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Asking whether markets are efficient is like asking whether people are smart.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20110216/2128e0bb/attachment.pgp>


More information about the Gnupg-users mailing list