SECENG module Seminar 4 Group Project Continue your PGP project. In this week, we will concentrate on the following part: digital signatures and certificate chain. Try post messages signed with your...

SECENG module Seminar 4 Group Project Continue your PGP project. In this week, we will concentrate on the following part: digital signatures and certificate chain. Try post messages signed with your private key and ask your colleagues to verify whether your signature on the message is valid (the message should not be encrypted, that is, the format is: clear message, signature on the message). Please note that the following description is only valid for PGP 7.x. If you are using PGP9.0 or GnuPG, you should try the approach at the end of this message. We have talked about CA (certificate authority) in several places. PGP trust model is different from CA trust model. When you open the PGPKeytools, you will find that for several public keys you have imported, the small ball under the “validity” item is not highlighted (green). This means that that these public keys are not “valid” according to current certificate chains (the impact is: when you verify a signature using that public key, you will get a message like “valid signature with an invalid key”). If the ball for your own public key is not green, you may right-click your key and choose "key properties". Under the "Trust Model" choose "Implicit trust". Then your key should be green. Now how can we make other keys valid (green)? An obvious way is to sign that key. When you sign a key, you will see that key is highlighted. Do we have to sign all keys to make all keys valid? The answer is NO. That is, we need to find a way to make one key highlighted (green) but we have never signed that key. If we know that a key is really from Alice, then we can certainly click the small ball corresponding to that key and sign that key, and then we can export that public key. Thus making Alice's key green. If we do not know Alice, but we know Bob in person and Bob knows Alice well then if Bob signs Alice's key and sends signed Alice key to us, we should trust Alice's key. This is the PGP trust model. Practice this kind of trust model this week. In particular, do the following exercise: you sign A’s key and mark A’s key as trusted (you can do this by right-clicking A's key and choose "key properties" and then move the sliding bar to trust). A sign B’s key and publish the signed key to the project folder. Check whether B’s key is valid in your screen (small ball is highlighted). Post your screenshot to convince others that you have not signed B’s key but it is valid. Also check a message signed by B to see whether it is valid. The following is a sample screen shot. Note that Yongge Wang has not signed Ali Ahmed's key, but it is a valid key. Also note that Yongge Wang trusts Craig's key at 50% level. For PGP9.0 or GnuPG. The theory is the same as the above. That is, compare what happens with the following situations: 1. get signature by A and check whether A's signature on one message is valid. 2. let B sign A's key, and you sign B's key. Then chech whether A's signature on one message is valid.