Re: [Protux-devel] Savannah is Back!!

[Luciano Giordana]

Thanks Fabio, I am pretty new on this, and still confused. but things are 
getting clear.. your text helped a lot.

On Sunday 28 December 2003 05:06 pm, rsff wrote:
> Luciano,
>
> GPG is the open source version of PGP. Which stands for Pritty Good
> Privacy. It was a new method of encryption designed around the 90's by
> this american guy whose name I forget, where basically, you make a
> public-key and a secret key. It was considered a threat by the american
> government because it uses some algorhythms which make it nearly
> impossible to break. Using this method you also don't have to share a
> password, which means that if the person doesn't give you the password
> you might never see the message.
>
> It works like this: you generate a public-key which is the recipy for
> making encrypted files that only that respective secret-key can decript.
> For example, at the bottom of my message there will be my public key.
> With that, you can encrypt a message which only the secret-key that I
> have will be able to decrypt. Similarly, if I wanted to send Martin an
> Encrypted message, I need his Public-Key, and then I can send him a
> message that only Marting can decrypt -- not even I can decrypt my
> message to him. (BTW, you can also encrypt messages for more than one
> person. but you have to have all of their Public-Keys!)
>
> However, you still have to ensure that the public-key you are using is
> the authentic one (so you don't send an encrypted message to the wrong
> person!). For that, we use signatures and trust-ownership. I have a
> key-pair (secret + public keys) which is signed by Martin. So if you
> trust martin's signature, you can trust my own public-key. He garantees
> that my keys are mine.
>
> There are also two other things to consider: distribution of
> public-keys are done throught either emails messages, home pages, or you
> can look them up in key-servers, where you can get/sent public-keys. The
> only problem with that is that, should a key be compromised, you need to
> invalidate that key. For that there is a revoke-key, which should also
> be generated when you generate a new key. Store both the secret-key AND
> the revoke key in safe place where people can't get.
>
> The main difference between GPG and PGP is that PGP uses a proprietary
> algorythm called IDEA. But I have no idea what the advantage /
> disadvantage of IDEA is. So don't ask me about it.
>
> They both allow you to encrypt in two ways. Either Armored, or
> Clearsigned messages. In Armored messages you will have an apparently
> garbled text message that you can't read unless you decrypt the whole
> this. Whereas Clearsigned messages are normal text messages which are
> signed, similar to what Martin sends to the list. That signature
> garantees the message is authentic because it considers all of the
> written text in order to sign it. So if somebody tampers with the text,
> it will no longer be a valid text-message, and you can verify it (in
> fact, Kmail does this automatically.)
>
> GPG and PGP also support compression and encryption of binary files,
> althought those will probably not be used by us. Compression of text
> files is done automatically when the messages are big. Binary include
> any other kind of file which is not a text message.
>
> Lastly, I can't forget to tell you that Kmail supports all this
> automatically. All you have to specify is which GPG Secret Key is the
> default one for each email. It can be the same one for all emails. In
> order to send clearsigned text, you have to ask to sign the message, and
> if you want to send encrypted messages you can either encrypt and
> copy/paste the message into the body of the text, OR you can especify to
> encrypt the message (You need to have that person's public-key in your
> database in order to do this. I think the email also has to match the
> GPG-database one too.
>
> For a GUI-Front-end you might also try http://devel-home.kde.org/~kgpg/,
> or even SeaHorse (Althought, Searhorse has a GNOME interface.). You
> might also look in to http://www.gnupg.org/
>
> Fabio.
> PS: If you have any other questions, send to the list. Martin and I will
> probably be able to answer it.
> PPS: Please guys, send you public keys and upload so we may all sign
> them too. You also might consider putting your public-key in
> www.keyserver.net. Don't forget to keep a copy of your revoke-key and
> secret-key in a safe place. Public keys are easy to find if you loose
> them. If you loose your secret-key you might need to revoke it, and
> no-one will have your secret-key, or your revoke-key for you....

-- 
Best Regards
--
Luciano Giordana
Free Software Developer / Musician
Project Protux : Professional Audio Tools for GNU/Linux
http://www.nongnu.org/protux