[clo-devel] Re: Please upload your public GPG key to common-lisp.net

Tue Nov 11 19:02:44 UTC 2003

Mario Mommer <mommer at igpm.rwth-aachen.de> writes:

> I think we should point people to a place where they get information
> on exactly what they should do. As an example of someone quite
> ignorant of this, I propose myself :) I don't even know what I could
> ask google. What kind of keys are these, how do I get them, etc?

grab Gnu Privacy Guard from www.gnupg.org, download and build it.

Then you need to create a key. Since this isn't an intro to gpg i'll
just tell you what to do and not what you could do or what all the
aptions mean.

This command:

$ gpg --gen-key

will create a public/private key pair and add it to your
keyring. 

1) You'll want to create a DSA/Elgamal key which pair can be used for both
   signing and encrypting.

2) The key size should be at least 1024, I tend to use 2048 but that's
   just because I have an inferiority complex :).

3) Then you'll need to say when the key expires. I'd suggest to have
   it expire in the not too distant future, a year or two. Expired
   keys are still good for verifying signatures, and you'll use an
   expired key to sign your new key so changing keys isn't a big deal.

4) You'll need to specify the user id. The user id can not change (it
   is infact encoded in the key) and should represent who (and in what
   role) uses this key. As an example I have two keys, one is for me
   personally and has my name and my regular email address, another
   was created for the purpose of being a common-lisp.net developer,
   and has my name but uses the mbaringer at common-lisp.net email
   address.

5) now pick a pass phrase. This is the only real protection saving
   your private key once someone gets their hands on it. If someone
   gets your secret key and knows your pass phrase they can sign and
   encrypt as if they were you. chose something long (hard to brute
   force) with lower case letters, upper case letters, some numbers
   and punctuation chars.

6) now gpg will go around and collect entropy, when it's done you'll
   have in your key ring (located in ~/.gnupg) a freshly created,
   completly trusted, key.

7) export an ascii-armored copy of your public key with the command
   "gpg --armor --export <KEYID>" (you can get the KEYID from the
   listing of the keys in your key ring (either use the hexadecimal id
   or an email adresss if it's unique in your keyring)). Redirect the
   output of that command to a file and copy that file to your home
   directory on common-lisp.net.

8) Now go have look at the docs at gnupg.org from same good manuals,
   howtos, tutorials, etc.

hope this helps.

-- 
-Marco
Ring the bells that still can ring.
Forget your perfect offering.
There is a crack in everything.
That's how the light gets in.
     -Leonard Cohen