[SATLUG] XCSSA Pre-GPG Keysigning Party "To-Do Steps" (if you
want your key signed March 17th)
horned0wl93 at gmail.com
Mon Mar 3 11:27:47 CST 2008
David Kowis wrote:
> Quoting ed <horned0wl93 at gmail.com>:
>> I have a few questions and problem:
>> 1. Apparently, per GPG setup instructions, I'd need a separate GPG key
>> for each email account?
>> 2. I've tested the setup using one of my email accounts, and have saved
>> the fingerprint as a screen shot, but don't know how to access/print it
>> any other way. Suggestions?
> I recommend this document to follow for generating keys and such.
> I also have some beef with the suggestions on the XCSSA site.
> Particularly with the age of the keys and the encryption algorithms.
> According to http://www.gnupg.org/gph/en/manual.html#AEN526 :
> "It is almost always the case that you will not want the master key to
> expire. There are two reasons why you may choose an expiration date.
> First, you may intend for the key to have a limited lifetime. For
> example, it is being used for an event such as a political campaign
> and will no longer be useful after the campaign is over. Another
> reason is that if you lose control of the key and do not have a
> revocation certificate with which to revoke the key, having an
> expiration date on the master key ensures that the key will eventually
> fall into disuse.
> Changing encryption subkeys is straightforward but can be
> inconvenient. If you generate a new keypair with an expiration date on
> the subkey, that subkey will eventually expire. Shortly before the
> expiration you will add a new subkey and publish your updated public
> key. Once the subkey expires, those who wish to correspond with you
> must find your updated key since they will no longer be able to
> encrypt to the expired key. This may be inconvenient depending on how
> you distribute the key. Fortunately, however, no extra signatures are
> necessary since the new subkey will have been signed with your master
> signing key, which presumably has already been validated by your
> Basically, unless you want your signing key to expire, it shouldn't.
> That way you retain the signatures. However, you want your encryption
> key to expire so that it's no longer used. The main factor of
> encryption is how long the data is valid for. If it's extremely
> important, but isn't useful after a week, encryption that can't be
> brute-forced within a week (reasonably) is probably good enough.
> Also I would reccomend using RSA encryption as opposed to El-Gamal. I
> think there might be another algorithm, but I can't remember at the
> moment. the 4096bit key length is good :)
> Just my $0.02
This a great response, and I've saved the web site for later perusal,
but it doesn't address my primary questions:
1. Once I've generated a key-pair (and I have...), how do I find the
fingerprint, aside from the screen shot I saved?
2. Do I need to do a separate key-pair/fingerprint for each email
address I use?
3. Since I can't make the signing party due to teaching commitments, how
can I get them signed?
4. What then?
Thanks for all your help!
More information about the SATLUG