Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Information for a GPG noob #9

Open
ELLIOTTCABLE opened this issue Oct 19, 2013 · 12 comments
Open

Information for a GPG noob #9

ELLIOTTCABLE opened this issue Oct 19, 2013 · 12 comments

Comments

@ELLIOTTCABLE
Copy link

So, I've got an OpenPGP key. That much, I know. I know how to list my keys, and get an identifier for the key I use. I know how to protect my private-keys. But that, is about all I know.

There's nothing in the README or help.txt to describe what I should be doing when I first invoke pkp. It asks me for my public-key server IP or URL; and I know neither.

How do I find out what public-key server my keys are on?

Once I've figured out a server for my keys, I'm then left wondering which files pkp wants, when it asks for my public and private keys. All I, as a noob, know, is that it's created these two files: ~/.gnupg/pubring.gpg and ~/.gnupg/secring.gpg.

Are there other files I'm expected to pass? I only get the following errors:

> pkp
pkp 0.0.2
Your public address [an email or url]: me@ell.io
Your public-key server [ip or url]: keyserver.ubuntu.com
Path to your public key [hit enter to generate]: ~/.gnupg/pubring.gpg
Path to your private key [hit enter to generate]: /Volumes/Identity/secring.gpg
[ReferenceError: fs is not defined]
@heapwolf
Copy link
Owner

I think the answer is, your keys are not on a public key server. :)

The overall idea of PKP is that public keys are posted publicly, and the more the better. Obviously wherever you post them, you should 1. require auth, 2. reflect your public behavior and interactions with other people over time. A good example of places to put your public key are twitter, github, flicker, etc.

@ELLIOTTCABLE
Copy link
Author

Maybe I misunderstand what you mean by server, then. You're not talking about an ‘GPG server’ in the sense of gpg --send-keys --keyserver keyserver.ubuntu.com <keyID>, then? You mean posting a file somewhere accessible over HTTP?

@dominictarr
Copy link
Collaborator

@ELLIOTTCABLE that is correct.
here is a discussion of the approach that pkp uses dominictarr/cyphernet#4

@ELLIOTTCABLE
Copy link
Author

@dominictarr so far, I'm still extremely confused. This is more confusing than Bitcoin! ;)

So, if I understand this at all, I need to:

  1. create a signed file, of some sort, using my identity-keys, that somehow says “I own http://github.com/ELLIOTTCABLE.”
  2. upload that, to http://github.com/ELLIOTTCABLE//blob/Master/SIGNED_STATEMENT.markdown.gpg (again, ‘or something’)
  3. somehow password-protect that (“a place where only that centralized identity can access.”), so, I guess, make that a private repository?
  4. … provide that URL to pkp as my identity.

So, all together, very very confusing. Never seen this process used anywhere else, is it some sort of standard format I've just not run into yet? Or is this something pkp-specific (and/or cyphernet-specific)?

@dominictarr
Copy link
Collaborator

So, you have a car. Now, you want to prove to me that you own the car, i.e. that you control the car keys to that car. here are some approaches you could use:

  1. give the keys to me. now I can unlock the car, convincing me that you did have the keys. Except now I have control of the car. thanks!

  2. open the car in front of me. this would persuade me that you have the keys, but unfortunately we both must be present at the same time. Also, you have to do this every time you want to verify ownership to someone.

  3. put a note on the dash, inside the car, that says "THIS IS ELLIOTTCABLE'S CAR. NO DOMINICS ALLOWED, SIGNED ELLIOTTCABLE", I am again persuaded that it is indeed your car, because who else would put such a note their own car. Also you signed it, so I can verify your signature through the window. Since you are the only person who can create your signature (in theory) there is no someone else can do this.

Maybe they could steal the note from you, when you gave them a lift or something, but you could also include in the node a picture of the car, or the license plate or both. Things that could be verified from the outside with breaking in to the car.

Okay. Was that less confusing than bitcoin?

This system is basically the same, except cars are users on web apps, and the dashboard is a place only you can write to, but is publicly readable.

http://github.com/ELLIOTTCABLE/ is a place that you can write to (because you have the password)
but I can read from. So, if you place there a signed note claiming that place as your own, then I can verify it, but cannot alter it. Also, I can't claim things for you, because I don't the ability to create your signature (i.e. your private key) so I can't go and and create http://github.com/ELLIOTTCABLESMELLS/ and then convince anyone it's actually you, because there is no ELLIOTTCABLE signature, and also,
I can't reuse the signature you created for http://github.com/ELLIOTTCABLE/ because that was for
http://github.com/ELLIOTTCABLE/ and not http://github.com/ELLIOTTCABLESMELLS/

@ELLIOTTCABLE
Copy link
Author

That makes complete sense. So from that explanation, I don't need a private repository (didn't think that made any sense anyway; but playing newbie's-advocate here) … next question being, exactly what filetype is "a signature?" And what program generates one; and what format does the content take, exactly? (Just the URL it's going to verify?)

Related: is there a particular required name for the repository, or for the file? Or some sort of soft standard I should follow?

@dominictarr
Copy link
Collaborator

hmm, I'm not sure that has been 100% figured out yet.
it will probably just be json and be generated by pkp.
maybe with your ssh keys? although, I think that needs to be parsed specially to work with node's crypto stuff which expects a pem file

@dominictarr
Copy link
Collaborator

oh, nice. there is one here
https://github.com/joyent/node-http-signature/blob/master/lib/util.js

although, it should be it's own module.

@ELLIOTTCABLE
Copy link
Author

… Hm. So how do SSH keys come into play? Thought this was all about GPG keys.

⁓ ELLIOTTCABLE — fly safe.
  http://ell.io/tt

On Wed, Dec 4, 2013 at 2:13 AM, Dominic Tarr notifications@github.com
wrote:

oh, nice. there is one here
https://github.com/joyent/node-http-signature/blob/master/lib/util.js

although, it should be it's own module.

Reply to this email directly or view it on GitHub:
#9 (comment)

@dominictarr
Copy link
Collaborator

at the end of the day, it's all the same. ssh uses public/private key pairs, and gpg uses public/private keypairs...

problem is that gpg is way to complex to use, and like key signing parties?
that isn't scalable. the idea here is create something simpler, than can be bootstrapped off the online identities that people already have.

@ELLIOTTCABLE
Copy link
Author

Ah. I misunderstood the project entirely. This isn't to make using
existing GPG infrastructure simpler in the general case … it's to replace
GPG entirely, in the general case, using other existing infrastructure?
(GitHub / Twitter accounts, SSH keys … etceteras.)

Have I got that right?

⁓ ELLIOTTCABLE — fly safe.
http://ell.io/tt

On Wed, Dec 4, 2013 at 7:09 PM, Dominic Tarr notifications@github.comwrote:

at the end of the day, it's all the same. ssh uses public/private key
pairs, and gpg uses public/private keypairs...

problem is that gpg is way to complex to use, and like key signing parties?
that isn't scalable. the idea here is create something simpler, than can
be bootstrapped off the online identities that people already have.


Reply to this email directly or view it on GitHubhttps://github.com//issues/9#issuecomment-29862938
.

@dominictarr
Copy link
Collaborator

yeah, at least to explore the possibilities of a pgp like system that is simpler and more hackable.

@dominictarr dominictarr mentioned this issue Jan 4, 2014
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ELLIOTTCABLE @heapwolf @dominictarr