PGP key management is built on the principles of trust and validity.
Before adding a key to your public key ring, you want to make sure
that it's not from someone posing as the sender. If I want to
intercept mail going between you and your manager, I can simply pose
as your manager and send you a message saying "Here is my new public
key, please add it to your PGP public key ring." Then as I watch
messages go by, I can decrypt them using the corresponding bogus
private key. This may work once or twice, until your boss complains
that she can no longer decrypt your messages encrypted with PGP.
The questions you need to answer when adding a key are:
- Is this key valid? Is it really from the person who claims to have
- Can I trust anyone who tells me this key is valid? I may give you a
key for a mutual friend, and you decide to take my word that the key is
authentic. But the further you go in the friend-of-a-friend food chain,
the less you tend to trust people.
Would you loan your car to my best friend's friend? Even though
individual relationships are built on trust, you shouldn't feel
comfortable extending trust to an arbitrary degree of separation.
Trust and validity are established through key certification, or
signatures on keys, and key fingerprints. A fingerprint is simply a
128-bit checksum of the key. View the fingerprint of a key using the
-kvc option to PGP:
huey% pgp -kvc pubring.pgp Key ring: '/home/stern/.pgp/pubring.pgp' Type bits/keyID Date User ID pub 1024/CA1D1839 1996/01/25 Hal L. Stern <firstname.lastname@example.org> Key fingerprint = E2 C4 A9 6C 5C D1 93 93 C3 0D D6 34 24 D3 55 7F 1 matching key found.
When I send you my key, I can also send you its fingerprint via
another channel: over the phone, on my Web page, or on my business
card. Compare the fingerprint generated by PGP while adding the key to
the one you collected out of band, and you can determine if the key
has been tampered with in transit. If you feel comfortable with either
the key distribution or the fingerprint distribution, then you should
feel comfortable adding the key to your public key ring.
When you add a key, PGP checks to see if it has been certified by the
presence of any digital signatures. If there are no signatures, PGP
gives you the option of certifying the key by signing it. If you do,
you are making an explicit guarantee that the key is valid; if you
later distribute that public key to a third party, he or she will see
a certified key with your signature on it.