You should always sign your own PGP public key.
If you generate a public/private key-pair and distribute the public
key without any signatures on it, you are open to a denial of
service attack. Here's how the attack works. I take your
unsigned public key, and (using a suitably powerful editor, such as
Emacs) I edit the userid string so that it still has your name but my
email address on it. Then I distribute this modified key widely.
Note that the modified key continues to have the same key fingerprint
as the unmodified key, so it appears to be your key to all who do not
know your email address. Anyone who uses the modified key to encrypt
email to you and who does not know your real email address will send
the email to me instead. Of course, I won't be able to decrypt the
email I receive, because it was encrypted with your public key, but I
have denied you the option of decrypting it. You might never know the
message was even sent. If you have at least one signature on your public key, PGP detects
the tampering of the userid string and alerts the person who is
sending you encrypted email. This is possible because of the nature
of a digital signature. A digital signature is the output of
a cryptographically secure hash function taking as input your
RSA public key and your userid
string (among other things). That hash output value is encrypted with
the private key of the signer. If you have a valid public
key from the signer and if you trust the signer to sign other people's
keys, then PGP allows you to infer a certain degree of trust that the
signed key belongs to the person named in the key's userid field. A cryptographically secure hash function is an irreversable hash
function for which it is computationally infeasible to find
an input message that hashes to a given output value. A task is
computationally infeasible if the sun will have burned out before even
the most powerful computer could finish the task. This prevents
people from forging digital signatures. You should sign your PGP public key immediately after generating your
public/private key-pair. To sign your own public key, type this: where <userid> is the userid attached to your
just-generated public key. If you have more than one userid on your
public key, then you should sign each one individually. A widespread misconception about self-signed public keys (i.e., keys that have
been signed by their corresponding private keys) is that a self-signed key is
somehow more valid than a key that is not self-signed. A self-signed key is
no more valid than a key with no signatures at all. Why? Suppose you have a
public key with this userid string: Here's my denial of service attack. I use PGP to generate a new
public/private key-pair with the same userid string as your public key
but having different RSA public key bits. I self-sign that public key
with its private half. I distribute that public key widely. Someone
thinks it's yours based on the userid string. She makes the mistake
of concluding that it is your key because it is self-signed.
This is the mistake of inferring validity merely from the
presence of a self-signature. She uses it to encrypt email to you,
but you will not be able to decrypt that mail. This is a different kind of denial of service attack than the one
described earlier (see Why You Should Sign Your PGP Public
Key above). The only defense against this attack (that I can
think of) is to be ever-vigilent for public keys that have your userid
string but a different key-id and
key-fingerprint. The key-id is the 32 least-significant bits of your RSA
modulus, which is one of the two numbers that make up your RSA
public key. The other number is the RSA public exponent (see
the mathematical guts of RSA
encryption for more details). The key fingerprint is a cryptographically secure hash of the RSA
modulus and RSA public exponent, which together make up your public
key. The cryptographically secure hash function is Ron
Rivest's MD5, which outputs a 128-bit (16-byte) number, which
depends in no discernable way on every bit in its input. It is much
easier for two people to compare a 16-byte hexadecimal value over the
phone that it is for them to compare the many hundreds or thousands of
bits that compose the modulus and public exponent. If an RSA public
key were tampered with in transmission from one person to another,
comparing the fingerprints (via a tamperproof communication channel)
would certainly reveal the tampering. The moral of this story is that you should regularly verify that
the fingerprints of distributed copies of your PGP public keys (such
as those in the PGP keyserver
databases) match the fingerprints of your copies of those keys.Why You Should Sign Your PGP Public Key
How to Sign Your PGP Public Key
pgp -ks <userid>
Misconceptions About Signed Keys
John Q. Public <jqp@somewhere.com>
How to Organize a Key-Signing Session
Thanks to Derek Atkins <warlord@mit.edu>
for this description of how to run a key-signing session for a group of people.
There are many ways to hold a key-signing session. Many viable suggestions have been given. And, just to add more signal to this newsgroup, I will suggest another one which seems to work very well and also solves the N-squared problem of distributing and signing keys. Here is the process:
-derek
Derek Atkins, SB '93 MIT EE, G MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) Home page: http://www.mit.edu:8001/people/warlord/home_page.html warlord@MIT.EDU PP-ASEL N1NWH PGP key available