Changes between Version 60 and Version 61 of doc/TorifyHOWTO/GnuPG


Ignore:
Timestamp:
Mar 2, 2018, 7:31:31 AM (9 months ago)
Author:
sambhav2612
Comment:

updated with grammatical errors removal

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorifyHOWTO/GnuPG

    v60 v61  
    33'''[https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO Read first!!!]'''
    44
    5 PGP was re-invented as OpenPGP, then OpenPGP was again re-invented as GnuPG, aka GPG. GnuPG (Gnu Privacy Guard, "GPG") or PGP (Pretty Good Privacy) or OpenPGP, allows to send "signed" (integrity signature) and+or "encrypted" (confidential) email messages, and also allows to "verify" (authenticate) and "decrypt" (decipher) email messages. GnuPG/GPG/PGP also allows to "sign" and+or "encrypt" files, and can also "verify" and "decrypt" files.  There are many other use cases for GPG/PGP/OpenPGP other than this two mentioned cases, as newer edition of software now able to handle more algorithms, ciphers, etc.  Also see wikipedia [https://en.wikipedia.org/wiki/GNU_Privacy_Guard GPG] page for related info and other tools.
     5PGP was re-invented as OpenPGP, then OpenPGP was again re-invented as GnuPG, aka GPG. GnuPG (Gnu Privacy Guard, "GPG") or PGP (Pretty Good Privacy) or OpenPGP, allows to send "signed" (integrity signature) and+or "encrypted" (confidential) email messages, and also allows to "verify" (authenticate) and "decrypt" (decipher) email messages. GnuPG/GPG/PGP also allows to "sign" and+or "encrypt" files, and can also "verify" and "decrypt" files.  There are many other use cases for GPG/PGP/OpenPGP other than this two mentioned cases, as the newer edition of software now able to handle more algorithms, ciphers, etc.  Also, see Wikipedia [https://en.wikipedia.org/wiki/GNU_Privacy_Guard GPG] page for related info and other tools.
    66
    77GnuPG, GPG, OpenPGP, PGP, etc related IETF RFC list: [https://tools.ietf.org/html/rfc4880 rfc4880] (OpenPGP Message Format) (Nov 2007), [https://tools.ietf.org/html/rfc3156 rfc3156] (MIME Security With OpenPGP) (Aug 2001), [https://tools.ietf.org/html/rfc2015 rfc2015] (MIME Security With Pretty Good Privacy), [https://tools.ietf.org/html/rfc4086 rfc4086] (Randomness Requirements for Security) (Jun 2005, [https://tools.ietf.org/html/bcp106 BCP 106]), [https://tools.ietf.org/html/rfc2440 rfc2440] (OpenPGP Message Format) (Nov 1998), etc.
     
    2626  * Otherwise it does not buy you much. Anyone can upload any key for anyone to a keyserver. Keyservers do not delete malicious keys. If you get a key from a keyserver, you still have to verify the fingerprint of the GPG key.
    2727   * You still to obtain the GPG key over a pre-shared secure channel.
    28      * TLS does not buy you much either, see first point.
     28     * TLS does not buy you much either, see the first point.
    2929     * Or you still need to use the [https://en.wikipedia.org/wiki/Web_of_trust Web of trust].
    30  * Key servers only for convenience: you only need to securely share the comparable small fingerprint of a GPG key and can download the big full blown public key from the keyserver.
     30 * Key servers only for convenience: you only need to securely share the comparable small fingerprint of a GPG key and can download the big full-blown public key from the keyserver.
    3131 * Uploading your key to a keyserver can result in receiving spam.
    3232
    3333== List of OpenPGP & X.509 Keyserver or Pool Keyservers ==
    34 PGP/OpenPGP/GnuPG/GPG 'keyserver' which supports HKPS or HTTPS, those keyservers use TLS or SSL certificate (cert) based encryption and authenticated communication.  Users who will use any type of proxy, then using encrypted connection is very important aspect for keeping data integrity intact/unmodified.  By default, HKP uses non-encrypted TCP port 11371, HKPS uses encrypted TCP port 443, HTTP uses non-encrypted TCP port 80, HTTPS uses encrypted TCP port 443.  Keyservers, which use (keyserver) domain-name owner's own created/self-signed (stand-alone, domain-issued or end-entity) server SSL/TLS cert, or keyserver which uses other free CA's (Certificate Authority), then for such cases, in client side, users need to specify such SSL/TLS certificate using the "ca-cert-file" gpg option in gpg command-line, and then users also need to specify SSL/TLS cert file's directory location & file-name. 
    35 
    36 Such SSL/TLS certificates can also be pre-specified inside the "gpg.conf" configuration file, by using the "keyserver-options" gpg option.  A keyserver can use alternate (or, a different) port, than previously mentioned network ports.  Some keyservers which support HKP, usually or may also support HTTP.  Keyservers which support HTTPS, may also support HKPS.  Keyservers, in below, which show "DNSSEC" support, their DNS data are DNSSEC-signed for enhancing connection's security, and keyserver which shows "DANE" support, they have declared/shared their SSL/TLS cert's hash or full hex code in the TLSA DNS record, so that client-side users can check if connection using a correct SSL cert or using a fake/forge SSL cert.  Keyservers which shows the word "server pool", are able to obtain key from other keyserver(s), and they sync(share) key collections with each others.
     34PGP/OpenPGP/GnuPG/GPG 'keyserver' which supports HKPS or HTTPS, those keyservers use TLS or SSL certificate (cert) based encryption and authenticated communication.  Users who will use any type of proxy, then use encrypted connection is a very important aspect of keeping data integrity intact/unmodified.  By default, HKP uses non-encrypted TCP port 11371, HKPS uses encrypted TCP port 443, HTTP uses non-encrypted TCP port 80, HTTPS uses encrypted TCP port 443.  Keyservers, which use (keyserver) domain-name owner's own created/self-signed (stand-alone, domain-issued or end-entity) server SSL/TLS cert, or keyserver which uses other free CA's (Certificate Authority), then for such cases, in client side, users need to specify such SSL/TLS certificate using the "ca-cert-file" gpg option in gpg command-line, and then users also need to specify SSL/TLS cert file's directory location & file-name. 
     35
     36Such SSL/TLS certificates can also be pre-specified inside the "gpg.conf" configuration file, by using the "keyserver-options" gpg option.  A keyserver can use alternate (or, a different) port than previously mentioned network ports.  Some keyservers which support HKP, usually or may also support HTTP.  Keyservers which support HTTPS may also support HKPS.  Keyservers, in below, which show "DNSSEC" support, their DNS data are DNSSEC-signed for enhancing connection's security, and keyserver which shows "DANE" support, they have declared/shared their SSL/TLS cert's hash or full hex code in the TLSA DNS record, so that client-side users can check if connection using a correct SSL cert or using a fake/forge SSL cert.  Keyservers which shows the word "server pool", are able to obtain the key from another keyserver(s), and they sync(share) key collections with each other.
    3737
    3838Few keyservers are listed below: [[BR]]