17 06 | 2013

Encryption without a certification layer is (partly) useless

Written by Tanguy

Classified in : Homepage, Debian, Grumble

With the PRISM scandal, there has been some talk about encrypted communication systems. For instance, BitMessage is often introduced as an easy and secure message system, that would allow you to communicate with no possible eavesdropping. Apple is also making similar claims about their systems iMessage and FaceTime.

This is a good time to remind this: without direct contact or a certification layer, encryption systems are not secure! Or at least, not as secure as you would expect, as they do allow some kind of eavesdropping.

Read more Encryption without a certification layer is (partly) useless

27 05 | 2011

PGP signatures with trust and verification level

Written by Tanguy

Classified in : Homepage, Debian, To remember

Identity checks and trust

Saint Peter's key, detail from a stone statue

The OpenPGP web of trust is composed of keys linked to each other by two things:

  • identity checks: signing a key means that you verified the link between a key with user IDs, an official identity document with a photograph, and a person with a face;
  • trust: on your public key ring, you manually decide who you trust to correctly check other people's identity.

With these two pieces of information, GnuPG is able to determine whether or not the key of someone you never met can trusted to belong to its alleged owner.

Signatures

Signing a key is usually a binary action: either you sign it or you do not sign it. Thus your signature on a key will give other people a rough identity check information and no trust information at all.

In fact, the OpenPGP standard does allow to publish precise identity check and trust information on signatures, but unfortunately this is now enabled with GnuPG by default. These features are called certification level and trust signatures.

Read more PGP signatures with trust and verification level

Archives