From da04812402d5ba4671d70b14e72b113046f77b20 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Thu, 4 Nov 2021 08:58:03 +0200 Subject: README.md: add missing word --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5b21e80..4e331cb 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # User guide for sq -This is a sketch a user guide for sq, the command line tool from +This is a sketch of a user guide for sq, the command line tool from Sequoia-PGP. `sq` is a command line tool for encrypting and authenticating files -- cgit v1.2.1 From 2f103c2bb8de32f90a083397c272c681474fe1f3 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Thu, 4 Nov 2021 09:17:27 +0200 Subject: Add mention of sequoia-openpgp library Also, add links to the project, the library, and Rust. Closes #14 --- sq-guide.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/sq-guide.md b/sq-guide.md index ce7e342..d8862c5 100644 --- a/sq-guide.md +++ b/sq-guide.md @@ -79,7 +79,11 @@ $ ls -l decrypted.md ## What are Sequoia-PGP and `sq`? -The Sequoia-PGP project works to make use of cryptography for privacy +[Sequoia-PGP project]: https://sequoia-pgp.org/ +[Rust programming language]: https://www.rust-lang.org/ +[sequoia-openpgp]: https://gitlab.com/sequoia-pgp/sequoia/-/tree/main/openpgp + +The [Sequoia-PGP project][] works to make use of cryptography for privacy and authentication in communication more commonplace. The project produces and maintains an implementation of the OpenPGP standard that's easy and uncomplicated to use. @@ -89,7 +93,10 @@ projects to verify the authenticity of software packages, and for encrypting and authenticating messages. `sq` is the command line tool provided by Sequoia-PGP. It's easy and -uncomplicated to use. +uncomplicated to use. Sequoia-PGP also provides a library for the +[Rust programming language][], called [sequoia-openpgp][]. However, +the library is only of interest to software developers, and this guide +is aimed at users of the `sq` tool. ## Why use OpenPGP? -- cgit v1.2.1 From d751965f43a010a54dba3bda0716e46de2c2e1cf Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Thu, 4 Nov 2021 09:20:33 +0200 Subject: Add note that the PK explanation is a simplification Closes #15 --- sq-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sq-guide.md b/sq-guide.md index d8862c5..05d8abe 100644 --- a/sq-guide.md +++ b/sq-guide.md @@ -270,7 +270,7 @@ if you encrypt something using the public part, the result can only be decrypted with the private part. And also vice versa: if you encrypt something using the private part, only the public part can decrypt this. Since anyone can decrypt, this operation is called a _digital -signature_. +signature_. (This is a very rough simplification.) This allows some very interesting things: -- cgit v1.2.1 From 5fac492f197709a9e5321dc5474b182b19f0931b Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Thu, 4 Nov 2021 09:23:07 +0200 Subject: Use the word "complement" instead of "alternative" Closes #16 --- sq-guide.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/sq-guide.md b/sq-guide.md index 05d8abe..f448b8f 100644 --- a/sq-guide.md +++ b/sq-guide.md @@ -307,12 +307,13 @@ for links to explanations. ## Symmetric cryptography -The alternative to public key cryptography is _symmetric -cryptography_. (Public key cryptography is also known as _asymmetric -cryptography_.) In symmetric cryptography there is no public and -private parts of an encryption key. There is only one part, and the -same key is used both for encrypting and for decrypting data. This is -in many ways easier to understand, but is usually more awkward to use. +The complement to public key cryptography is _secret key +cryptography_, which is also known as _symmetric cryptography_. +(Public key cryptography is also known as _asymmetric cryptography_.) +In symmetric cryptography there is no public and private parts of an +encryption key. There is only one part, and the same key is used both +for encrypting and for decrypting data. This is in many ways easier to +understand, but is usually more awkward to use. Symmetric cryptography is best suited when only one person needs to know the key, or when everyone who needs the key can get it in person. @@ -345,6 +346,11 @@ The benefit is that symmetric cryptography tends to run faster and have shorter keys compared to public key cryptography, for similar levels of resistance against attacks. +OpenPGP actually uses both symmetric and public key cryptography: one +for the bulk of encryption, for speed, and the other for easier key +management. The user does not actually need to care, but understanding +is always good. + ## Limitations of cryptography -- cgit v1.2.1 From 76cd239ed211384bacac74d5161bd1205b408a1a Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Thu, 4 Nov 2021 09:28:33 +0200 Subject: Note that with subkey primary key is harder to leak or misuse Closes #17 --- sq-guide.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sq-guide.md b/sq-guide.md index f448b8f..b8bd9d3 100644 --- a/sq-guide.md +++ b/sq-guide.md @@ -520,6 +520,8 @@ your certificate. This setup has several benefits: * you can have separate subkeys for encryption, signing, or authentication +* it's harder to leak or misuse the primary key, as it's only used + rarely * you can use a smaller key when less security is OK in exchange for faster use * you can have a separate subkey for each device you have, or put -- cgit v1.2.1 From 1a9244dd8019d0ca17114ee48307ce542f38aca6 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Thu, 4 Nov 2021 09:32:15 +0200 Subject: Add note about revocation update benefit to key expiration Closes #18 --- sq-guide.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/sq-guide.md b/sq-guide.md index b8bd9d3..d53e6db 100644 --- a/sq-guide.md +++ b/sq-guide.md @@ -542,12 +542,18 @@ key: if the key expires, others won't use it anymore. You can extend the expiration as often as you wish, although that requires getting your update certificate to everyone who needs to use it. +Another, more subtle benefit of expiring keys is that a short +expiration time (of, say, one year) forces everyone else to refresh +their copy of your certificate. This routine means they will also get +a revocation update for the key, if there's ever a need for that. + You can also set subkeys to expire. This has the same benefits as expiring the primary key. Changing expiration times can be a chore. There's a security benefit to it, but if it's inconvenient for you, you may want to consider not -expiring keys, or only expire subkeys. +expiring keys, or only expire subkeys. Despite the benefits, it's +better to have a non-expiring key than not have a key at all. ## Generating a key -- cgit v1.2.1