Content is scrollable

Manlug meeting May 1999

15^th May 1999, 14:00hrs

Robert Baskerville

PGP - A Short Intro (followed by keysigning)

Click on the blue graphic to the right to access presentation Slides - converted to HTML.

Summary

PGP is a tool which you can use to ensure privacy of communications and integrity of data. Privacy is achieved through the encryption of communications; integrity is proven through the use of digital signatures.

Privacy in this age of the computer is threatened as never before. Organisations (including governmental ones) are able to pry into our affairs as never before.

"I've got nothing to hide, why should I be worried?" is a common reaction. Well, unless you're prepared to live in a glass house, publish all your bank statements, details of purchases, schedule of movements, all correspondence and so on then maybe you should be worried. Your private business is just that - yours and private.

PGP was created as a tool to fight human rights violations. Amnesty International collect witness statements and are able to transport this information safely by protecting it with PGP. PGP is extremely strong; this is the sort of tool which can protect your communications from even governments and spooks. Integrity is important when one is signing contracts electronically, or downloading programs from the internet. If an appropriate digital signature is used, it proves that the program has not been tampered with, or that the contract has been agreed to.

The short introduction to PGP will look, in a non-scary non-mathematical way, at *how* PGP works and what it can do for you.

One of the most difficult and important parts of cryptography is the management of the keys involved. Poor key management can compromise the security badly.

PGP keys are not certified by some central authority - they use a "web of trust". If you can prove to me that you are who you say you are, then maybe I'll sign your key. Thus if someone trusts me, they will have confidence in your identity too.

The key signing session will involve different type of signing. Those who bring identification such as a passport plus driving licence can have their keys signed by the MC Certification Authority (or "CA") key - pgp@mcc. The pgp@mcc key is cross-certified with some other CA's and is included in the printed Global Trust Register.

Lesser forms of identification may be adequate to get your key signed by individuals present. As well as getting your own key signed, sign other people's keys - this is a web of trust, not simply some top-down system.

The signing of the keys does not actually have to take place on the spot. The combination of Key ID, Key Length, and Key Fingerprint are unique. Thus if you can provide that information along with your proof of identity then you can have your key signed and returned by email later.

This will probably all seem a little weird to some of you! Come along, find out about PGP. Equip yourself with the knowledge which will allow you to take responsibility for your own privacy. Use and understand the freedom to encrypt before anyone attempts to take that freedom away from you.