I you have read my previous post, GPG Best Practices, you will know that I am a fan of setting expiration dates on my GPG keys.
This has not always been the case. As with many computer users I tend towards the lazy, and if I can keep from having to re-learn a password by never changing it, then I have been guilty of doing so.
Recently, however, I have decided that this is not the best thing to do when it comes to computer security. So while restoring my computer this weekend after a rebuild of the OS to get rid of some cruft that had built up, I decided I needed to add expiration dates to all of my GPG keys.
Now I had already established one for my work e-mail at the time I created the key, but now I needed to go back and add ones to my personal keys. After reading the man page on GPG, it looked pretty easy. Just go into edit mode for the key I wanted to change, the add an expiration date. Simple enough, right? Wrong.
Turns out the what I wanted to do was feasible, just not readily apparent. I didn’t just want to set a date relative to the current date in day, months, weeks, or years. What I wanted to do was use a specific date.
Well, after some diligent searching on Google, I found the following in a post on the gnupg-users list:
>>Is it possible to set an explicit date (e.g. 31 Dec) rather than a >>duration? I suppose I could compute the number of days, but that’s
>>annoying.
Problem solved, mission accomplished.
Like many people who have some concerns over security on the Internet, I have started to use digital signatures for all of my mail sent from my regular e-mail client on my Mac.
While there are several avenues for this, I chose to use GPG. While I know that this means jumping through a couple of extra hoops in configuring my mail client, I decided that it was worth it, because unlike the Thawte Freemail certs, using GPG on my computer also means that I can encrypt files in addition to my mail messages, should I choose to do so.
I am wondering what the thoughts are on best practices when it comes to using GPG.
Here are a couple that I have come up with (learned through hard experience):
1. Backup your keys.
I cannot stress this strongly enough. If for some reason you have a catostrophic computer failure, you will need those backups in order to decrypt your e-mail once you restore your data backup. (You do back your data up, right?)
And when you make those backups, do not rely on just a digital backup. Backup both your public and secret keys in an ASCII-armor file and print the darned thing out. Digital backups are subject to data rot and any number of other technological snafu’s, but I have printed material that is perfectly readable after more than 20 years.
2. Make a revocation certificate.
The GPG mini-howto gives a couple of excellent reasons for doing this:
For instance: the secret key has been stolen or became available to the wrong people, the UID has been changed, the key is not large enough anymore, etc.
Just remember that revoking a key is not reversible.
3. Set an expiration date for your keys.
Just like changing passwords, you should regularly change your GPG keys. Don’t worry about losing track of the data that was encrypted with a key that has expired. You’ll still be able to open that data, it just means that someone won’t be able to encrypt with the old key unless they ignore the warnings about it being expired.
What this also means is that you should hang on to the expired keys, since you might need them to access some older encrypted files. (See best practice number 1)
4. Add commentary to your keys.
If you are like most heavy computer users, you have more than one e-mail address. And if you create a GPG key for each one of those, it would help to keep things orderly if you commented on the individual keys.
For example, the key I use for my work e-mail has a comment of:
Work Address
So, do you have anymore best practices?
Everyone wanted DRM-free music and EMI partnered with Apple to make it happen.
Now apparently it’s not being done right. Of course, we all knew that the account holder name and associated e-mail address was being stored in the DRM encrypted tracks. But somehow everyone seems to think that Apple was going to just cease to embed that because the song was DRM-free.
Ars Technica has a story up on this.
I wouldn’t be surprised if some data was being analyzed in aggregate, although Apple’s current privacy policy does not appear to allow for this. As with the dust-up over the mini-store, Apple should clarify what this embedded data is used for.
Give me a break. Sure, if the privacy policy states that Apple isn’t going to use the data for purchase analyization, then fine. But I would be willing to bet that the author of the story has at least one of those grocery store cards, or a gas station card, or even a driver’s license, that contains some sort of barcode or mag stripe on it. What exactly do you think the stores do with all that data on your purchasing habits? They analyze it for trends of course.
Chicken Little, the sky is not falling.
So I ran across a story on Slashdot about how ABC/Disney had a blog shutdown over the posting of some audio clips from a radio-station affiliate in conjunction with the blogger’s letters to the radio station advertisers over their tacit support of the comments and views of the talk radio hosts on the station.
The Slashdot post linked to a blog posting on the Daily Kos: State of the Nation that had more details.
While I don’t exactly like the idea of corporate America picking on the little guy when their pocketbook is being affected, I wonder at the hoopla that gets kicked up in the liberal ‘Net community everytime something like this happens.
One of the comments on the Daily Kos post stated that this was
this is a really big First Amdendment and Blogger Rights issue
I think that the author of the comment would have had a good point if they had stopped after “First Amendment”.
What is it that makes speech in a blog any different than speech in any other medium? If there are legitimate freedom of speech issues in this particular case, beyond the often confusing interpretation of what constitutes fair use, then that is a valid point. However, just because the post was made on a blog shouldn’t impart any special protection beyond what has been granted in the caselaw surrounding the first amendment protections.
For years, people that have an issue with a particular view expressed through a commercial entity, be it radio, television, or print, have been writing letters to newspaper editors and advertisers. How is this any different now that we have another medium to voice our opinions? Just because the ease of getting the opinion across has been increased with the advent of Internet forums and blogs, does not mean that the same laws concerning freedom of speech or copyright are more or less applicable.
Do we really need a whole raft of new legislation when the medium is digital instead of analog?