[SOLVED] GPG principles

LithoUser · 2018-04-24 04:54:37

Hello,

I'm trying to understand the principles of GnuPG and asymmetric encryption in general. I've begun to read the wiki about GnuPG, seen some videos, etc., and I've seen a few analogies that have made things more simple for me.

Before I go any longer, I have 3 questions :

1. What are the name and email address used for exactly ? I mean : who (me or everyone using my public key) can see the name ? who can see the email address ?

2. Do I have to remember the name and email address used to create key pair ? Should I keep a note with them ?

3. Do they have to make sense ? I think I've understood that, for privacy reasons, I shouldn't give my real name and email address (because this one can change, too). But should they allow someone I want to use encryption with to recognize me ? Say I want to use GPG to encrypt my emails with one of my friends : should my name and address allow him to know who I am ? Or sending him my public key with random name (I've seen I could use a random UUID for this) and random email address should be enough ?

I'm sorry for those questions, I'm sure they're pretty silly (maybe crazy too). I'd like to understand the whole thing the best I can before using it. Then I'll keep learning using it

Thanx for any answer !

Last edited by LithoUser (2018-04-24 15:14:42)

Awebb · 2018-04-24 11:32:38

1. Try gpg --list-keys. If you don't have any, try pacman-key --list-keys, which is just a wrapper around GnuPG.

2. gpg --list-secret-keys

3. If you want people to trust you, then you should be prepared to reveal a portion of your identity. If you want people in Opensource development circles to trust you (or programmer folks in general), you should be prepared to sign everything with your real name. It really depends on what you are trying to do with what circle of people.

NoSuck · 2018-04-24 13:11:26

LithoUser wrote:

... I've seen a few analogies that have made things more simple for me.

I bet some of them used the phrase “public key”, when they should have said “public lock”. If you manage to figure that one out, please let me know.

A name/email address simply give meaning to your public lock. The point of putting your lock out there in the big, ol' lockbox in cyberspace is so that others can send encrypted messages to the lock's associated destination. So yes, everyone can see the name/email address you provide. If you wish to remain anonymous, make a new identity with a new email address. An even if you don't wish to remain anonymous, use a different lock for, say, encrypting files on your hard drive than you do for communication.

Be prepared for disappointment. Most people are not yet capable of encrypted communication (the good ones usually are, though).

eschwartz · 2018-04-24 13:24:11

LithoUser wrote:

1. What are the name and email address used for exactly ? I mean : who (me or everyone using my public key) can see the name ? who can see the email address ?

It's used for telling people who you are. I would not trust the identity of "gfdswelkmnk <gfdswelkmnk@nou.mystery>", because... that's kind of defeating the purpose of using a technology designed to securely verify you are who you say you are using a stable identity token.

Why on earth would you not want people to know who you are when you give them a thing designed to let them know who you are? If you don't want to tell everyone your private email address, how do you intend they communicate with you? The solution to this is to give out a public email address that people *can* use...

2. Do I have to remember the name and email address used to create key pair ? Should I keep a note with them ?

I assume you already have notes for your email addresses. I hope you don't need notes to remember your own name, but in all fairness some people do not like to link their internet aliases with their real names, so you may prefer to only identify yourself as e.g. "LithoUser <lithouser@gmail.com>".

3. Do they have to make sense ? I think I've understood that, for privacy reasons, I shouldn't give my real name and email address (because this one can change, too). But should they allow someone I want to use encryption with to recognize me ? Say I want to use GPG to encrypt my emails with one of my friends : should my name and address allow him to know who I am ? Or sending him my public key with random name (I've seen I could use a random UUID for this) and random email address should be enough ?

If your email address changes, you can use gpg --edit-key to edit your private key and add or remove name/email combinations. PGP keys can have multiple UIDs associated with them.

Again, they should make as much sense as you want the person receiving them to be able to comprehend. If you don't even tell your own friends who you are, why should they trust some random stranger only known by a random UUID?

LithoUser · 2018-04-24 15:14:09

OK, this is far more clear now. Thank you everyone for your explanations ! My goal was to encrypt a few files locally, and I've done this successfully. I've been able to test the creation of a few keys, edit them, delete them, and now I'm proud of myself Thanx !

Arch Linux

#1 2018-04-24 04:54:37

[SOLVED] GPG principles

#2 2018-04-24 11:32:38

Re: [SOLVED] GPG principles

#3 2018-04-24 13:11:26

Re: [SOLVED] GPG principles

#4 2018-04-24 13:24:11

Re: [SOLVED] GPG principles

#5 2018-04-24 15:14:09

Re: [SOLVED] GPG principles

Board footer