Re: [Protux-devel] Savannah is Back!!

[rsff]

Luciano,

GPG is the open source version of PGP. Which stands for Pritty Good
Privacy. It was a new method of encryption designed around the 90's by
this american guy whose name I forget, where basically, you make a
public-key and a secret key. It was considered a threat by the american
government because it uses some algorhythms which make it nearly
impossible to break. Using this method you also don't have to share a
password, which means that if the person doesn't give you the password
you might never see the message.

It works like this: you generate a public-key which is the recipy for
making encrypted files that only that respective secret-key can decript.
For example, at the bottom of my message there will be my public key.
With that, you can encrypt a message which only the secret-key that I
have will be able to decrypt. Similarly, if I wanted to send Martin an
Encrypted message, I need his Public-Key, and then I can send him a
message that only Marting can decrypt -- not even I can decrypt my
message to him. (BTW, you can also encrypt messages for more than one
person. but you have to have all of their Public-Keys!)

However, you still have to ensure that the public-key you are using is
the authentic one (so you don't send an encrypted message to the wrong
person!). For that, we use signatures and trust-ownership. I have a
key-pair (secret + public keys) which is signed by Martin. So if you
trust martin's signature, you can trust my own public-key. He garantees
that my keys are mine. 

There are also two other things to consider: distribution of 
public-keys are done throught either emails messages, home pages, or you
can look them up in key-servers, where you can get/sent public-keys. The
only problem with that is that, should a key be compromised, you need to
invalidate that key. For that there is a revoke-key, which should also
be generated when you generate a new key. Store both the secret-key AND
the revoke key in safe place where people can't get.

The main difference between GPG and PGP is that PGP uses a proprietary
algorythm called IDEA. But I have no idea what the advantage /
disadvantage of IDEA is. So don't ask me about it. 

They both allow you to encrypt in two ways. Either Armored, or
Clearsigned messages. In Armored messages you will have an apparently
garbled text message that you can't read unless you decrypt the whole
this. Whereas Clearsigned messages are normal text messages which are
signed, similar to what Martin sends to the list. That signature
garantees the message is authentic because it considers all of the
written text in order to sign it. So if somebody tampers with the text,
it will no longer be a valid text-message, and you can verify it (in
fact, Kmail does this automatically.)

GPG and PGP also support compression and encryption of binary files,
althought those will probably not be used by us. Compression of text
files is done automatically when the messages are big. Binary include
any other kind of file which is not a text message.

Lastly, I can't forget to tell you that Kmail supports all this
automatically. All you have to specify is which GPG Secret Key is the
default one for each email. It can be the same one for all emails. In
order to send clearsigned text, you have to ask to sign the message, and
if you want to send encrypted messages you can either encrypt and
copy/paste the message into the body of the text, OR you can especify to
encrypt the message (You need to have that person's public-key in your
database in order to do this. I think the email also has to match the
GPG-database one too. 

For a GUI-Front-end you might also try http://devel-home.kde.org/~kgpg/,
or even SeaHorse (Althought, Searhorse has a GNOME interface.). You
might also look in to http://www.gnupg.org/

Fabio.
PS: If you have any other questions, send to the list. Martin and I will
probably be able to answer it. 
PPS: Please guys, send you public keys and upload so we may all sign
them too. You also might consider putting your public-key in
www.keyserver.net. Don't forget to keep a copy of your revoke-key and
secret-key in a safe place. Public keys are easy to find if you loose
them. If you loose your secret-key you might need to revoke it, and
no-one will have your secret-key, or your revoke-key for you....

-- 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.3 (GNU/Linux)

mQGiBD3qpdMRBAD1bLmdtz20bPeGGmcyKoKrGYINiSWV9MZmHbCv1aY5Cin8BEry
IUr033v7t8eBgVSbOWidHsL4kjjqxGeZIDH6RZD0t8SfNvRgyawFCChjh5i+LHIJ
2cEy6F1p2RVDTZGC2u4lH9f6+OsQ+J1LY0E5GlZrUgo7xrYrEYXXLFBGywCgzvFR
d+MG8gOYpT7epfICDob08MkD/AsLF8+ItdLEkqW/RL7z6Bh8pgckuKbqArkZEs6D
R8laZ6WnNGssrpN7Vl/dwZ74hQ4Zwe31/HWE1UqcrHMVYYUcb+krpsUKLxqilonk
RpS4acl58mYl4hXeOcpncGeQCl2FKrD+abOQuHtNLySypyaFfhg8yL8tBYPw3b8C
AegcA/0R5AVMo+6Wjw9yrmchoVCg9SfNYvwC+fAS5eUCcYw1/Ilv02nlr3wMTlA5
hcPMthllV53pA+yns+jxVMFZw+Reske9dJA7PjCsPwsnOU12JGYMYAChcYqs0vOh
l0S25Z3nZuZhcB7NiVhxn6FuSTgIRW73/kJWxJqMl2M+dngu1LQxRmFiaW8gZG9z
IFNhbnRvcyAoMDEvMTIvMjAwMikgPHJzZmZAc29mdGhvbWUubmV0PohZBBMRAgAZ
BQI96qXTBAsHAwIDFQIDAxYCAQIeAQIXgAAKCRA1TTA9IUpmFQmFAJ9ket2SeB+x
wttd24U62oKurhRVmACgifbn68xj8uKdPUXIXZeuxANgtIyIRgQSEQIABgUCP+hg
1wAKCRAQ1lvymUYUtPbKAJ4kZlTarwe/zkN/hTpEL1s1jCA1uACfaRgN2CvPbzD3
P/+l0El2ioKfOZC5AQ0EPeql1xAEANLaEW0nUyId9dYqBs3DrEWAMyGa17hgqckS
CHhFtr355Nlbo99uEjcDCR+77ZEGKoU+2bIStDcRYAeBBJO/kJQWNj/X8iDxPRUW
kvLmJk/bh4h5tcUa4gVZyF9rKDDnuKdDe8ZXPFLNJv41JTZ2ZVgnuS0VLRQgqCyW
/K6OxgXrAAMGA/9WXMUjmHjqT1vVlTrpVQI6vBkcRMNSFMTf7b86qlO8i5VFbTnM
wbzPpx3UjGbj1+DgmoT/IqJag5ae/QUbCiIQ8MS90OimwgA54VobmBPiwA1xgxUQ
WSgG5fOHtXOtTU0Dj4YDQgb3s5YZRw3DX6CDk4MT6Dkix0oX6YNbLX4gw4hGBBgR
AgAGBQI96qXXAAoJEDVNMD0hSmYVboUAoKm8Q4fy1A5j6AkV/XXcppYZV4rpAKDB
L2UEmeaU+wjz62E4TWtivcaayw==
=6/6z
-----END PGP PUBLIC KEY BLOCK-----

signature.asc
Description: Esta é uma parte de mensagem assinada digitalmente