-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Lawrence Chin escribió:
> After being too busy, I'm back with questions and questions.... It seems there is a lot people busy, I have seen little traffic in the last 2 days... So I will dare to try to answer some of your questions... but remember I am not an expert, and my answers are "as far as I know" or "if I understood it right...". If someone else reply something different, probably that is the good answer (and mine is the wrong one)... > I'm using openoffice.org writer. I don't know how many of you are > familiar with it. My first question is: I know it... but I am still learning how to use it. > (1) I notice that openoffice writer allows you to digitally sign the > document created. But I already noticed that I can sign and encrypt any > document I have created with GPGEE's context menu. Are the two really > the same thing? No, are 2 different kind of signatures. As far as I know, there are 2 "families" of certificates/signatures. One is x.509 certificates, used for SSL (to use https "secure" connections), these certificates allow to sign files and encrypt data. Usually, they are issued by a CA (see http://en.wikipedia.org/wiki/Certificate_authority for details). Basically, there is an organization that has its own private key, and it uses it to sign certificate request from people (or organizations). They must verify the identity of the people requesting the certificate, before issuing the certificates. If they have a good policy about how to verify these identities, and they manage their key in a secure way (to avoid it being stolen), they can make browser manufacturers to consider them trust worth, and they will include their "root certificate" in the browser's list of "trusted CA's". So, basically, if I sign a message with my certificate issued by Thawte, your browser or email client will see my signature, it will see it was signed by Thawte, and it will check if Thawte is in its "trusted" list. And it will trust I am who I say I am, because it trusts Thawte. It is something like asking: "Dady, can I go to play with that man? Yes, son, you can, because I know him, and I think he is not a bad guy". That is the kind of certificates OpenOffice needs to sign files. Thawte issues free certificates for email encryption (and surprisingly, they can sign files too, I just tried with mine, and it worked). The only thing Thawte knows about me, is my email address, any other info I gave them can be false, they didn't verified it (and for that reason, they didn't include my name in my certificate, because they are not sure if I told them the true). If I use their mechanisms to be verified, then I could ask them to give me a certificate with my name on it. GnuPG works in a different way, and with a different kind of certificates. There is no "daddy" saying whou you can trust, you must verify the identity of the people by yourself. But if you trust one of your contacts is who he claims to be, and if you trust he really cares about other people identity before signing their keys, then you can trust that people using keys signed by your contact, are also who they claim to be. This is like asking your friends if you can trust somebody. If they know him, and they trust him, you can say "the friends of my friends are my friends too" and trust him... or you can say "my friend, I know you very well, and I trust you, but I know you trust other people too easily... so don't be offended, but I need more info before deciding I can trust your friend". This is a very simplified explanation about how does this work, there are a lot more things to know, but I think it is enough to notice the difference between the 2 systems. Both kind of certificates follow a different standard, and they are not compatible, so an OpenPGP key can't be installed to be used directly with OpenOffice. But GnuPG can sign files, so you can write the document, save it, and sign it using GnuPG. OpenOffice won't detect the signature, but you can check it externally (using GnuPG) and be sure the file has not been modified. > (2) In the "help" file of openoffice.org, it says: > > "When you receive a signed document, and the software reports that the > signature is valid, this does not mean that you can be absolutely sure > that the document is the same [as] that [which] the sender has sent. I am not sure if that is true... The signature should be able to prove the file was sent by the guy that holds that certificate... the problem is to know if that sender is who he is claiming to be... If you don't trust the CA that issued the certificate used to sign the file, you can't trust the signature. > Example: Think about someone [who] wants to camouflage his identity to > be a sender from your bank. He can easily get a certificate using a > false name, then send you any signed e-mail pretending he is working for > your bank. You will get that e-mail, and the e-mail or the document > within has the "valid signed" icon. Do not trust the icon. Inspect and Well, I can ask a free domain and a free host, and make an email account like [EMAIL PROTECTED] and get a certificate issued to that account, and the messages signed by that certificate will show a good signature, since the signature is not broken... but if you take a look at the signature, you should notice you real bank domain doesn't end with ".co.cc", but with ".com", so you would know I am trying to impersonate your bank manager... and that is the reason why the help file ask you to read the certificate details, and to don't trust the signature just because it is not broken. With GnuPG it would be harder to fake an identity, since the only trusted signatures, are the signatures made with keys you, or the people you trust to check identities, have signed. You would say "hey, nice signature... but I don't know you, so go to scam someone else". > used. You must ensure that the files that are in use within your system > are really the original files that were supplied by the original > developers. For malevolent intruders, there are numerous ways to replace > original files with other files that they supply." Yes, sure... with so little system files in windows, it should be easy to check then one by one to be sure they are not fake... since I just have 5260 files in my system32 folder, supposing I need just 20 seconds to check them, it would take just 29,2 hours, without stopping even to go to the bathroom... Sure, I can run an antivirus, but there is no warranty it would discover the fake files... > I have very little idea even til now as to what exactly certificate They do almost the same thing the GnuPG public key does, and since your own certificates include the private key, they do, for you, almost the same thing than your own GnuPG keys do. But they do it in a different way. > does. I suppose I get a certificate with CaCert to validate my identity > and then get them to sign my keys? But what's the "Windows system of They would sign your certificate request (your x.509 compliant public key). They also have OpenPGP keys, but I am not sure what do you need to do to make them sign your GPG keys. > validating a signature"? (I use Vista and IE) On the "Certificates" I don't really know, I didn't even know how to make OpenOffice to use my certificate to sign files... until I started replying this message, and I checked the help file you talk about. Now I have already signed my first document :D > windows in the "internet options" in my IE 7 browser, I saw that there > are a lot of certificates of big companies listed in "trusted root > certificate authorities" and "intermediate certification authorities", That is the list of valid companies that are supposed to verify carefully people's identity before signing their certificates. CAcert is not included by default in that list... and it is harder to get a certificate capable of signing files from them than from Thawte, which is included by default in most browsers... > but none in "other people" and "personal". I suppose if I can get a > x.509 through CaCert, then I would put that x.509 in "personal"? Is that > right? That is right, but you also need to import CAcert root and intermediate certificates, because they are not pre loaded in windows, or in firefox, or in opera... They are trying to be included in the main browsers, but it takes time, effort, and money... and since CAcert is non-profit... > I got more questions. > > (3) To tell you guys the truth, I don't even know where my private keys > and my key ring are stored in my computer. Do you guys know the possible > file names and path? secring.gpg, pubring.gpg and trustdb.gpg. But I don't know where are they located in your computer... I installed GnuPG with default options, and it placed them in a different place than they where supposed to be (according to some replies about the subject I have seen). > (4) And -- I know this question must have been asked 100 times already > here, but I want to ask instead of spending the next 3 hours doing > research -- how exactly to save my private keys onto like a USB drive or > a CD? I don't really know that one... you can export your key (for backup purposes), or you can just copy the whole keyrings into the USB drive or CD... if you want to do the second option, search for the files secring.gpg, pubring.gpg and trustdb.gpg and copy them to a safe place. If you want to back up just your keys, use Enigmail's Key Manager (and create the revocation certificates too... BUT NEVER IMPORT THEM (the revocation certificate) unless you really need to do it... there is no confirmation, as far as I remember... and if you make a mistake and import it, DONT UPLOAD IT to the keyserver, or your key will be revoked and there is no way to un-revoke it. If you have a back up of your key, delete the revoked key from your keyring, and import the backup. If you don't have a backup... ask for help here, maybe somebody knows how to "un-revoke" it in your keyring... but once you upload a revoked key to a keyserver, the key is revoked and nothing will change that (unless the server explode before being able to propagate the key). > (5) How to add an additional UID to my kurt c key on the keyserver? I > want to add my real name to it. You need to add an UID to your key, and then upload your public key again... for details about how to do it, RTFM... (just joking), to tell you the true, I don't remember how to do it, but I bet I can get the answer in 3 minutes. Ok, it should be as this: c:\> pgp --edit-key AE235FTZ0 (your key's number) c:\> adduid and fill the fields gpg will show you. To save the changes, you need to enter the command 'save', if you just enter 'quit' the changes won't be saved. I think maybe you would like to set the new UID as primary UID for the key... but maybe it would be done automatically, since it would be the most recent (the last added). If it is not done... this is just a 'guess', I have not tried it... but I think you would need to: c:\> pgp --edit-key AE235FTZ0 (your key's number) c:\> uid n (instead of n, put the number of the UID you want to be the primary one) c:\> primary Don't forget to 'save' (without the '' signs) before quit... > Thanks for helping out an idiot here. Nobody was born knowing things (other than how to cry, how to drink milk, and how to... well, that is a body function...). I have asked almost exactly the same questions (and I hope I could recall the answers correctly), about 3 months ago... and I am still learning the basic stuff... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJI3dLtAAoJEMV4f6PvczxAlFsH/jmZ+1ieuZTSbwV0d0wlGkHD XQUNL+6uAFt2g+RKyY/RJcRAvXzsWL3DMv3/u5KtAQhjMes7SC5pnKSRlaEXXuSi GM4GB4Dkcm3W2mdR1FVR8tAAHbiVwdAG5+Fx8KcPTmkIZ5Z8sZLgbABCXLx/zFNj X8Z9Z550tx+NpJHryIlWyq8e/J+ca+B3NxvNqMkMqE26nIotaA5yL5ydlJS+oAcH 7+/wHHkMitONemVtSedfhP/D+0w4+d07+4NqRQ5KEVYFJ9wPUq108OtlMa6PY1dv MjGJw0BEmSGo1mjyptPH7OZ5DwC7GwzlBADWRiX+zzWFfGueG1YpVDQKWarhDBQ= =NEVN -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
