2009/PGP

MIT's X.509 certificate system) that rely on an absolutely trusted root principal to authenticate all other principals in the system, trust in PGP is an individual decision where principals in the system attest for the authenticity of others, forming a distributed "web of trust." In addition to providing a secure means of encrypting and signing messages for yourself or others you communicate with, PGP is also used for signing and verifying software distributions and packages (Linux kernel, Ubuntu/Debian packages, etc.), or for signing your own code (i.e. with git-tag) on projects you work on.

This cluedump will begin with a brief overview of PGP (and very brief overview of public-key crypto -- no discrete logarithms here) and why you should care, before diving into the details of the OpenPGP protocol and how it works. The second part of the cluedump will focus on the ways you can use GNU Privacy Guard (GPG), a common implementation of OpenPGP, to take advantage of the benefits of PGP. In particular, I will present a tutorial on how to set up a well-thought-out GPG installation (based on my frustration at the lack of good tutorials online today).