Lurking with PGP

Lurking is a time-honored practice. If you don't want to seem foolish when you join a newsgroup, you lurk there, reading articles without posting any, learning what is expected of participants in that newsgroup. The same goes for mailing lists. Some people never quit lurking—and on the Internet, and on Usenet, that's all right.

While reading Usenet news or a mailing list, you have probably seen a PGP-signed message. It looks something like this (the signature has been slightly modified to fit in the magazine):

-----BEGIN PGP SIGNED MESSAGE-----
This is an example PGP-signed message.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCUAwUBMYlOKyd5aW9FNqjdAQHVpAP4vrpL2MoIm3MFk
95e7mRaYwRoKSL4lpCDR8WvDo13ICvaa/IbYxZwH/5IFM
vve7a+HnFPFd7pKegsJxSc8MgFnnBCxTJAEeimLCmZ+DA
VHPwqnEjxdeTWvwoysg2hm89CUOxvn4ArbG3yntlRlL+k
0HPjV+D0Uvi+LN0sNroi5A==
=G3yB
-----END PGP SIGNATURE-----

You can read the message just fine by ignoring all the PGP-specific stuff. But you can also make use of it by learning a few simple commands—and learning how to use them.

Are you intimidated by PGP's manual? Perhaps you should be. Unlike other software products, with which it is Okay to fool around in order to learn it piece by piece as you need it, cryptographic software needs to be well-understood to be truly secure. Using it incorrectly can give you a feeling of security—but that's worse than not using it at all, because with that false sense of security, you will use it to send sensitive information that you would never have dreamed of sending via e-mail otherwise. The manual section on key management isn't that long, but you do have to understand it, and to do that, you do need to read quite a bit of the manual.

If you want to write PGP-encrypted e-mail, you have to read the manual. This article can't substitute for the manual in teaching you how to keep your e-mail private. You have your choice of the free manual distributed with the source code, the printed version of the official manual sold by MIT Press, or the O'Reilly book, PGP: Pretty Good Privacy, ISBN 1-56592-098-8, written by Simson Garfinkel.

So you can “PGP-lurk”. You don't have to send PGP-encrypted e-mail in order to take advantage of PGP signatures; you can simply verify that messages sent by other people are really sent by them, and not by someone else masquerading as them. But in order to do that, you really need a little bit of background. Don't worry, this won't hurt a bit...

PGP is based on public key cryptography. Each person has a public key that everyone else needs to know, and a private key which must not be known by anyone else. A message is encrypted with both the sender's private key and the recipient's public key. The message can only be decrypted with the recipient's private key, which only the recipient knows.

It is possible, however, to simply sign a message without encrypting it. The sender's private key is used to sign the message, and the sender's public key is used to validate the signature. Notice that the recipient doesn't need any keys at all to validate a signature. As long as recipients are able to trust that their copies of the sender's public key are correct, they can trust the signature.

Since you don't need to protect the secrecy of a private key in order to use PGP to validate signatures, you don't need to read a book to learn how create a private key and keep it secret. You just need to know how to find other people's public keys and know how to use PGP to check signatures.

If you have read the newsgroup comp.os.linux.announce, you will have noticed by now that every message posted there is “digitally signed by the moderator, using PGP”. Lars Wirzenius, the moderator, allows you to be sure that he approved the articles for posting by PGP-signing them. In his signature, he states, “Finger wirzeniu@kruuna.helsinki.fi for PGP key needed for validating signature.” If you run the command finger wirzeniu@kruuna.helsinki.fi, you will see something resembling Listing 1. Don't type that key in from the listing; if the key is going to do you any good, you will be able to get it over the internet. If you don't like finger, you can get it from his home page, www.cs.helsinki.fi/~wirzeniu/.