OpenPGP and email: Email from beyond your Web of trust

PGP & GPG: Email for the Practical Paranoid Michael W. Lucas 216 pages; $24.95 No Starch Press

People across the world use OpenPGP, and you don't know all of them. Chances are that your keyring will start off populated with keys for friends and coworkers, and slowly grow as you communicate with more OpenPGP users. If you receive an encrypted email from a country on the far side of the world, however, it's quite possible that you will have nobody in common and hence you won't really be able to truly verify their identity. What do you do?

One possibility is to use only the corporate PGP keyserver and only correspond with people who use that keyserver. PGP Corporation's keyserver signs public keys after it verifies the email address they're attached to. However, OpenPGP is called "open" because anyone can implement it, and you can't control who will send you email any more than you can control who sends you postcards. I correspond with people all over the world who use OpenPGP, and quite a few have public keys that aren't even vaguely hooked into my Web of Trust. How can I trust them? Here are my three choices:

More Information Download the full chapter to learn more about OpenPGP. Visit our Email Security All-in-One Guide to learn how to secure email systems and maximize your email security efforts.

• Expand my Web of Trust


• Trace the Web of Trust to that person


• Use the key but limit my trust of the sender

Expanding Your Web of Trust

The most correct answer is to expand your Web of Trust. Exchange signatures with more people, even people with whom you're not likely to exchange encrypted mail. More people than you suspect travel between companies, countries, continents, and cultures. Sign their keys and have them sign yours, which will embed you more deeply in the Web of Trust, making it easier for you to reach others and for others to reach you. This takes time, however, and if you receive a mysterious email you don't want to wait weeks or months to read it.

Tracing the Web of Trust

Search Google for "PGP pathfinder" and you'll find any number of websites in which you can trace the path through the Web of Trust between any two OpenPGP keys available on public keyservers. These sites use the keyid for the two keys involved (remember, the keyid is just the last eight characters of the fingerprint). The more paths that exist through different people, the more likely I am to trust that key. Having had my key signed at a couple of different keysigning parties, I would expect to have several paths to anyone in the Web of Trust. For example, suppose that after publishing this book I get an email from someone who claims to be Phil Zimmermann, the original creator of PGP. The keyid of the message sender is B2D7795E. I can grab Phil Zimmermann's public key from a keyserver, or from his Web page, but it's possible that someone uploaded a bogus key for him just to fool people like me.

I visit the Web of Trust pathfinder at www.cs.uu.nl/people/henkp/henkp/pgp/pathfinder (Google's first result) andenter the keyid of the message I received and my keyid. This server tells me that there are eight disjunct paths between this key and mine. In other words, my key is linked to the other key by eight different paths that have no people whatsoever in common.

For that key to be fake, the faker would have had to fool a whole lot of people. Although I have never met Phil Zimmermann, I would believe that this key is legitimate. (If the only path had been through one of my incorrigible practical joker friends, or if there had only been one path, I would have been far more suspicious and infinitely less trusting.) Most of these Web of Trust tracing programs are based on wotsap, a freely available Python program designed to trace relationships between keys. Wotsap is available at many Internet sites; if you're seriously interested in analyzing the Web ofTrust, I suggest you start there.

Want to learn more about OpenPGP? Download the full chapter to learn more about its benefits.

BROWSE BY TAG Application and Platform Security,   Email Protection,   Email Security Guidelines, Encryption and Appliances,   Information Security Bookshelf ,   Application Security,   PGP & GPG: Email for the Practical Paranoid,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

<< PREVIOUS | NEXT >>

VIEW ALL IN THIS CATEGORY

RELATED CONTENT Email Security Guidelines, Encryption and Appliances How to confirm the receipt of an email with security protocols Best Email Security Products Can an IP spoofing tool be used to spam SPF servers? WatchGuard acquires email and Web security vendor BorderWare McAfee to acquire email SaaS vendor MX Logic What does 'invoked by uid 78' mean? How to configure firewall ports for webmail system implementation Fierce competition prompted new Cisco email security options Cisco brings email security appliances closer to SaaS Cisco offers more email security choices, but lacks vision

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary asymmetric cryptography  (SearchSecurity.com) challenge-response system  (SearchSecurity.com) cryptographic checksum  (SearchSecurity.com) data encryption/decryption IC  (SearchSecurity.com) elliptical curve cryptography  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) MPPE  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) session key  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary