Here are some rough notes from a PGP tutorial I went to tonight:

Practical PGP: What you need to know to use PGP effectively
http://www.oclug.on.ca/pipermail/oclug-announce/2003-May/000074.html
presented by Matthew Wilcox

First need to generate a key, but due to a bug in gpg, run "gpg" first,
press ^D to exit.
 $ gpg
 ^D
 $ gpg --gen-key
 choose (1)

RSA/DSA are signing keys; ElGamal for encrypting
put (0) for expiry time (presenter doesn't consider it important)

should have separate keys for signing and encryption.
GPG doesn't allow that (or makes it difficult?)

q: what happens when key expires?
a: nothing. just a message to other people not to use the key after
  that date, they can obey or ignore that advice.

passphrase should be very long. (presenters is ~10 words, recommends
5-15 words.) tip: use offensive nonsense, things you would never say,
and would never be in dictionaries (don't use e.g. movie quotes, jargon)

Signing things:
---------------

   gpg --sign

output contains compressed message

   gpg --clearsign

output contains original message

to sign a file:

   cp /etc/motd /tmp
   gpg --sign /tmp/motd

creates /tmp/motd.gpg with binary signed compressed version.

probably want an ascii version, so:

   gpg -a --sign /tmp/motd

creates /tmp/motd.asc with ascii-armored compressed version.

another option is clearsign:

   gpg --clearsign /tmp/motd

creates /tmp/motd with original uncompressed file and attached signature.

also, with detached signature:

   gpg -b --sign

useful if many people want to sign the same message: each can sign,
then signatures can be collected into one.

Verifying signatures:
--------------------

   gpg --verify

verifies all kinds of sigs.

Encrypting things:

   gpg --encrypt filename
   (enter your loginid at prompt)

   for many files at once:
   gpg --encrypt-files *

Decrypting things:

   gpg --decrypt
   gpg --decrypt-files

[hmm, --encrypt-files etc don't seem supported by my version of gpg, 1.0.6]

Using keyservers (e.g. wwwkeys.pgp.net, settable in .gnupg/options):

   gpg --send-keys [will send all keys in your pub ring]
   gpg --recv-keys

presenter keeps a copy of his key on a floppy disk in an undisclosed
location, in case his usb device dies.

Keysigning parties:

 - convince other people of identity
 - be convinced of other peoples identiies
 - sign their keys
 - upload to keyservers

presenter "fully trusts someone if I have been to their house and met
their wife." If you just meet someone at a keysigning and look at a
couple docs, he gives them a level 2 sig, indicating "I have checked
this key casually."

You should upload your key ring to keyservers after keysignings.
(e.g. gpg --send-keys)

I uploaded my newly-generated key to pgp.mit.edu:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8D3456D0
(that is for my W3C identity, [email protected]; not sure how I
should manage multiple identities yet.)

I still need to figure out how to integrate gpg with Mutt.

--
Gerald Oskoboiny <[email protected]>
http://impressive.net/people/gerald/