From: Zak Rogoff Date: Wed, 4 Jun 2014 23:54:02 +0000 (-0400) Subject: Working on Section 4. X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=eacb2880c2c8b55823f895abf041cb62c757bd42;p=enc.git Working on Section 4. --- diff --git a/index.html b/index.html index e03cdf6e..c69171ef 100644 --- a/index.html +++ b/index.html @@ -262,8 +262,12 @@

#4 Learn the Web of Trust

-

Email encryption is a powerful technology, but it has a weakness; it requires a way to verify that a person's keypair is actually theirs. Otherwise, there would be no way to stop an attacker from making an email address with your friends name, creating a keypair to go with it and impersonating your friend. They would then be able to impersonate your friend by signing messages with the private key they'd created, and decrypt messages intended for your friend with the public key.

-

That's why the programmers that developed email encryption created keysigning and the Web of Trust. Keysigning allows a person to publicly state that they trust that a public key belongs to a specific person. To sign someone's public key, you need to use your private key, so the world will know that it was you.

+

Email encryption is a powerful technology, but it has a weakness; it requires a way to verify that a person's public key is actually theirs. Otherwise, there would be no way to stop an attacker from making an email address with your friends name, creating keys to go with it and impersonating your friend.

+ +

That's why the programmers that developed email encryption created keysigning and the Web of Trust. When you sign someone's key, you are publicly saying that you trust that it does belong to them and not an impostor.

+ +

People who use your public key can see the number of signatures it has. Once you've used GnuPG for a long time, you may have hundreds of signatures. The Web of Trust is the constellation of GnuPG users, connected to each other by chains of trust expressed through signatures, into a giant Web. The more signatures a key has, and the more signatures it's signers' keys have, the more trustworthy that key is.

+
@@ -277,9 +281,18 @@

Right click on Adele's public key and select Sign Key from the context menu.

In the window that pops up, select "I will not answer" and click OK.

In your email program's menu, go to OpenPGP → Key Management → Keyserver → Upload Public Keys and hit OK.

-

You've just effectively said "I trust that Adele's public key actually belongs to Adele." This doesn't mean much because Adele isn't a real person. Before signing a real person's key, always make sure it actually belongs to them, and answer honestly in the window that pops up and asks "How carefully have you verified that the key you are about to sign actually belongs to the person(s) named above?".

-

It's important to take keysigning seriously because it will affect people beyond just you and the person who's key you are signing. If someone doubts that a key actually belongs to the person that is says it does, they can go on a keyserver and see the number of signatures that it has. The more it has, the more they are likely to trust it.

-

The Web of Trust takes this concept to the next level. It is a network of key signatures that is saved in keyservers on the Internet. It builds chains of trust between individuals that do not know each other by passing through others, a bit like the famous "six degrees of separation" game. You don't need to understand it in detail to use email encryption, but it will become a powerful tool if you become an advanced user.

+

You've just effectively said "I trust that Adele's public key actually belongs to Adele." This doesn't mean much because Adele isn't a real person, but it's good practice.

+ + + +
+
+

Important: check people's identification before signing their keys

+

Before signing a real person's key, always make sure it actually belongs to them, and answer honestly in the window that pops up and asks "How carefully have you verified that the key you are about to sign actually belongs to the person(s) named above?". The only way to truly make sure it belongs to them is to talk to them in person or on the phone, and have them give you identifying information (like a government ID), along with their key ID.

+
+
+ +
@@ -310,7 +323,7 @@

The more you can encrypt your messages, the better. This is because, if you only encrypt emails occasionally, each encrypted message could raise a red flag for surveillance systems. If all or most of your email is encrypted, people doing surveillance won't know where to start.

-

That's not to say that only encrypting some of your email isn't helpful -- it's a great start and it makes bulk surveillance more difficult. And even people that encrypt as much as they can are still limited to those of their contacts that have public keys.

+

That's not to say that only encrypting some of your email isn't helpful -- it's a great start and it makes bulk surveillance more difficult. And even people that encrypt as much as they can are still limited to those of their contacts that have public keys.

@@ -344,7 +357,7 @@

Make it part of your online identity

-

Start writing your key ID anywhere someone would see your email address. Add it to your email signature, so that anyone corresponding with you knows that they can donwload your public key and verify that it's the correct one. It's also good to post it on your media profile, blog, Website, or business card. We need to get our culture to the point that we feel like something is missing when we see an email address without a public key ID.

+

Start writing your key ID anywhere someone would see your email address. Add it to your email signature, so that anyone corresponding with you knows that they can donwload your public key and verify that it's the correct one. It's also good to post it on your media profile, blog, Website, or business card.

We need to get our culture to the point that we feel like something is missing when we see an email address without a public key ID.

diff --git a/static b/static index a1aef0bb..bcf35a0d 160000 --- a/static +++ b/static @@ -1 +1 @@ -Subproject commit a1aef0bb942f847084f6a0b1a45726896a66d5c5 +Subproject commit bcf35a0d86c7843a58dbeef7cb9e52051891568d