Running Linux, 5th Edition - Matthias Kalle Dalheimer [105]
This example illustrates two fundamental points:
The validity of a given key is not an absolute. It is always relative to another key and to that key's owner's trust in other people, as expressed by the assigned ownertrust values . If Alice did not trust Carol to certify other keys, she could not ascertain Bob's key's validity.
The Web of Trust model works incredibly well in your own socioecological vicinity. However, it is hard or downright impossible to make it work across more than one or two hops (i.e., intermediate keys).
In recent years, however, the global Web of Trust has exploded, so the latter point becomes less and less of a problem. Thanks to the analysis tools implemented and run fortnightly by Drew M. Streib and Jason Harris, we now know that the global Web of Trust contains one large strongly connected set, a set of keys with the property that each key from the set has a trust path to any other key from the set. This big set currently encompasses 28,418 keys, and its diameter is on the order of 15 hops. Another 60,000 keys can be reached from any key in this set with up to 30 hops. Usually, around 10,000 keys are reachable with no more than three hops. The mean square distance to the best-connected key from any key in the cluster is currently about 3.6 hops. In contrast to the big set, the next biggest sets have only 147, 117, and 79 keys in turn.
In order to enter the strongly connected set, all you need is to cross-sign your keys with at least one of its members. If you live in North America or Europe, this is usually not much of a problem. Visiting a conference or fair with Debian or KDE developers lets you take part in one of the numerous key signing parties that are often held during these events. In other parts of the world, however, it can be very hard.
The commands to sign other keys and change the ownertrust are all available using gpg --edit key-id. This enters a GnuPG shell where commands such as sign and trust are available to perform key maintainance.
Using gPG-agent
After using GnuPG for a while, you will notice that you need to type in your passphrase quite often. But do not let this fool you into choosing a short passphrase! Instead, consider using the gpg-agent tool.
Much like ssh-agent, gpg-agent can be configured to maintain a cache of recently entered passphrases and reuse them instead of prompting the user. gpg-agent is part of the GnuPG 2, the next-generation GnuPG. You can download GnuPG 2 from ftp://ftp.gnupg.org/gcrypt/alpha/gnupg; its packages are called gnupg-1.9.n. Even though gpg-agent is packaged alongside GnuPG 2, it works just fine with GnuPG Version 1.2.6 or higher. Note that gpg-agent uses the pinentry package to prompt the user for a passphrase. Versions of pinentry are currently available for Qt (KDE), GTK (GNOME), and ncurses (text terminal).
To make GnuPG use the agent, you first have to start it: eval `gpg-agent --daemon`. The eval feeds back the output of the command in the backticks into the current shell; that is important because the gpg-agent command outputs environment variable assignments that are necessary for GnuPG to use the agent; in this case, the environment variable GPG_AGENT_INFO will be set. If you start GnuPG from this shell (or any other shell spawned from it), and pass it the --use-agent option (either on the command line or in ~/.gnupg/gpg.conf), then GnuPG will contact gpg-agent to obtain the passphrase instead of prompting the user directly.
To make gpg-agent cache the passphrase instead of asking each time anew, create ~/.gnupg/gpg-agent.conf with the following contents:
default-cache-ttl
3600
This instructs gpg-agent to cache the passphrase for 3,600 seconds — that is, one hour.
* * *
[*] A passphrase is just a long password, usually a sentence.
[*] Of course, you can encrypt any kind of file, not just text files, so when we talk about "reading a file," you could just as well substitute "listen to audio files" or "watch movie files."
[*] Although she sometimes