Change: use beamer for PGP talk

1 files changed, 0 insertions, 422 deletions

diff --git a/pgptalk.mdwn b/pgptalk.mdwn
deleted file mode 100644
index 593b6a5..0000000
--- a/pgptalk.mdwn
+++ /dev/null
@@ -1,422 +0,0 @@
-class: center, middle
-
-PGP and GnuPG—some basics
-=============================================================================
-
-Use of unnecessary swearing while using crypto software...
-has been approved
-
-Verion 1.0.1 for 2019-05-08
-
----
-
-Everyday uses of PGP
-=============================================================================
-
-* email: sign, encrypt (all personal emails I send are signed by default)
-
-* git: signed tags, signed commits (for releases)
-
-* software releases: sign your tarballs, downloadables
-
-* SSH: you can use your PGP key as an SSH key
-
-    * I use a PGP subkey on my Yubikey for SSH
-
-* amaze people at parties, be an international celebrity
-
----
-
-Threat models
-=============================================================================
-
-* Why would anyone attack **you**?
-
-    * you, your data, or your computing resources might be valuable
-    * you might be a stepping stone to another target, such as
-      your employer
-    * you might be an easy target
-
-* An attacker may want to...
-
-    * **impersonate** you
-    * **falsify** a file you need or provide, such as a software
-      download
-    * **eavesdrop** your communications to steal sensitive information
-
-* An attacker may be...
-
-    * a government: US, UK, Russia, China, etc, possibly illegally
-    * law enforcement, possibly illegally
-    * a large private organisation, possibly your employer
-    * a criminal organisation
-    * a minor criminal
-    * someone with too much time and a twisted sense of humour
-    * someone you know who doesn't like you
----
-
-Defences
-=============================================================================
-
-* cryptography
-
-* widespread use of cryptography ("herd immunity")
-
-* general infosec and opsec: keep your devices secure, and don't
-  do stuff that leaves you open for an attack
-
-* this can be really difficult, depending who you are and who's
-  attacking you; if you're a desirable target, you need to learn to
-  be secure, but if you're not, a few basic precautions is enough
-
-* compare with driving
-
-    * if you're just running errands, you'll be OK after normal
-      driving lessons
-    * if you're in a Formula 1 race, you need to learn a lot more and
-      work hard to even be allowed in the car
-
-* if the attacker is sufficiently motivated or sufficiently
-  well-funded, and has sufficient time, you will probably eventually
-  lose, sorry
-
----
-
-The kernel of wisdom is moderation in all things
------------------------------------------------------------------------------
-
-* It's easy to become despondent, but don't. While security is never
-  perfect, even a little effort will improve things a lot. You might
-  run faster than others, so the bear won't attack you.
-
-* It's easy to try too hard, but don't become a cryptography or
-  security absolutist. While it's good if everyone tries their best,
-  and improves their cryptographic defences over time, don't despair
-  if what they or you have isn't perfect.
-
-* **Cryptography absolutism** is when you say it's not worth using
-  cryptography at all, unless you're protected against every
-  conceivable scenario.
-
----
-
-Basics of public key cryptography
-=============================================================================
-
-* Everyone has a key pair: a **public** and a **secret** key, which
-  are linked together using advanced maths, such that data encrypted
-  with one can only be decrypted with the other
-
-    * you keep the **secret key secure** so that only you have a copy,
-      and only you can use it
-    * you **publish the public key** so that everyone can have a copy
-
-* Prove data or message is from you by **signing**: encrypt with your
-  secret key, anyone can check by decrypting with your public key
-
-* Keep communications **secret**: everyone can encrypt with your
-  public key, only you can decrypt using your secret key
-
-* Public key cryptography solves the key distribution problem.
-  Traditional (symmetric) cryptography requires a shared secret or
-  code between sender and receiver, and this can be complicated to
-  arrange.
-
-* RSA, ElGamal, Diffie-Hellman, elliptic curve, etc: interesting maths
-  if that's your thing, not required to be understood for using crypto
-  (this might be a little controversial)
-
----
-
-Storing keys securely
-=============================================================================
-
-* Consider your threat models: what do you need to protect against?
-
-* You should probably at least keep your main key pair off-line,
-  on a USB stick, and only use it in a device whose security you
-  trust
-
-* Subkeys: the main key is kept safe and forms the identity, but
-  additional keys, linked to the main key. New subkeys can be
-  generated at will for specific purposes, such as for keeping on a
-  laptop for email
-
-* Subkeys can be stored on your normal devices, since they're easy
-  to replace with new ones if they're compromised
-
-* Subkeys can also be stored on special devices for more secure key
-  storage, such as Yubikeys
-
-* A secret key is data "at rest" (as opposed to "in transit"), and is
-  basically only protected by the passphrase you set.
-
-    * Choose a long passphrase that you won't forget. GnuPG can handle
-      any length you can remember and type.
-
-    * You can change the passphrase later if you want to make it
-      stronger.
-
----
-
-Creating a key, with subkeys, with GnuPG
-=============================================================================
-
-* Main key is used for keysigning, changing key uids, subkeys for
-  everything else
-
-* Install GnuPG aka GPG aka gpg, version 2.1 or later (Linux, Mac, Windows)
-
-* **`gpg --gen-key`**, use defaults unless you know better
-
-* Also create subkeys, at least one for encryption and one for signing
-
-* Follow one of these:
-
-    * <https://alexcabal.com/creating-the-perfect-gpg-keypair>
-
-    * <https://blog.liw.fi/posts/2017/05/29/using_a_yubikey_4_for_ensafening_one_s_encryption/>
-
-* Remember to create a **key revocation certificate** and store that
-  somewhere safe that you can access without your PGP key
-
----
-
-Publishing a public key
-=============================================================================
-
-* A network of key servers exist for this, to make it easy to find
-  keys
-
-* Always use full fingerprints or 64-bit ("long") key ids to refer
-  to keys
-
-    * 32-bit (8 hex digit) short ids are no longer secure, and there
-      are hoax keys with real names (see <https://evil32.com/>)
-
-* **In principle** it doesn't matter which keyserver you use, the
-  built-in default should be good enough, except sometimes it isn't
-
-    * New keys and updates to keys propagate across the network
-      automatically, but sometimes it takes time, even weeks
-
-    * This pool of keyservers seems to be better than most:<br/>
-      <http://sks-keyservers.net>
-
-    * Add this line to **~/.gnupg/gpg.conf** and **dirmngr.conf**:
-      <br/> `keyserver hkps://hkps.pool.sks-keyservers.net`
-
-    * Technically, only dirmngr.conf should be needed, but in my
-      experience things work better if it's in both.
-
----
-
-Signing a key
-=============================================================================
-
-* You can add any names and email addresses you like to a key
-  generate; **anyone can create a new key and put your name on it;**
-  how can anyone trust any given key?
-
-* "Web of trust" vs "Trust on first use"
-
-* Keys can have signatures, which mean **"the person who signed this
-  key is confident that this key belongs to the person named in
-  the key"**
-
-    * Does *not* mean "is a trustworthy person, you should loan them
-      money and your car"
-    * "Is confident" is up to the signer, there are no rules
-
-* Key signatures are also published on the keyservers
-
-* You can tell GnuPG which keys' signatures you trust, and how
-  much, and GnuPG will tell you if you can trust a key, even if
-  you haven't signed it yourself
-
-    * compare with introducing people in real life
-    * "I trust Alice to introduce me to new people and not lie who
-      they are"
-
----
-
-Signing a key: HOWTO, part 1
-=============================================================================
-
-* You need the fingerprint of the key you want to sign (KEYID below)
-  and to get the actual key from the keyservers; or you can get in a
-  file via email or similar
-
-    * **`gpg --recv-key KEYID`**
-    * **`gpg --import FILENAME`**
-
-* Sign key key, which is done by "editing" the key
-
-    * **`gpg --edit-key KEYID`**
-    * this will result in a **`gpg>`** prompt
-    * enter the **`sign`** command, *check the fingerprint*, answer yes
-      if you want to sign; this will ask for your key passphrase
-    * you may also have a GPG agent running, in which case you may
-      not need to provide a passphrase; the agent keeps the private
-      key and remembers it without you having to enter a passphrase
-      every time
-    * enter the **`save`** command at the prompt
-
-
----
-
-Signing a key: HOWTO, part 2
-=============================================================================
-
-* Export and encrypt the signed key:
-
-    * **`gpg --export --armor KEYID > key.pub`**
-    * **`gpg --encrypt -r KEYID key.pub`**
-    * GnupPG may tell you that the key isn't ultimately trusted; tell
-      it to use the key anyway
-
-* Email the encrypted file **`key.pub.gpg`** (note suffix!) to the email
-  address listed on the key
-
-* This ensures the person who controls the secret key actually
-  receives email to the address given on the key
-
-
----
-
-Receiving a signature for your key
-=============================================================================
-
-* Decrypt the email
-
-* Save the signed copy of your key to a file
-
-* Import the key: **`gpg --import FILENAME`**
-
-* Send the update key to the keyserver: **`gpg --send-key YOURKEYID`**
-
-
-
----
-
-Signing a key: the easy way
-=============================================================================
-
-* On Debian and derived Linux distributions
-
-* **`apt install signing-party`**
-
-* **`caff FINGERPRINT`**
-
-* may require for a mail transport agent to be configured on the
-  laptop
-
----
-
-Extending key expiration date
-=============================================================================
-
-* Every key can have an expiration date
-
-* The secret key holder can extend the expiration date
-
-* It's optional, and not terribly useful
-
-    * makes sure you don't forget how to use GnuPG
-
-    * if you lose your secret key (careless!) it warns people to not
-      use your key after it's expired
-
-* Make sure you have a revocation certificate and can get that even if
-  you lose your secret key
-
----
-
-Using a USB stick: why?
-=============================================================================
-
-* Store main key only on USB stick
-
-* Keep USB stick physically safe
-
-    * full-disk encryption with stong passphrase
-    * maybe stored in a safe
-    * possibly guarded by armed guards with dogs
-    * castles, moats, and sharks are probably overkill, but do
-      consider crocodiles
-    * some of this advice may be in jest
-
-* Also, only use USB stick in a computer you trust
-
-* You may want to mark all copies of the stick clearly
-
-* Have subkeys on laptop for everyday use
-
----
-
-Using a USB stick: overall approach
-=============================================================================
-
-* GnuPG keeps everything in **`~/.gnupg`** by default, override by
-  setting the **`GNUPGHOME`** environment variable
-
-* Use this to have two GnuPG instances: **main key on a USB stick**,
-  and **subkeys on your laptop**
-
-    * format a dedicated USB stick with a suitable filesystem (e.g.,
-      **ext4**), give it a filesystem **label**, and mount it (e.g.,
-      **`/media/liw/usb-stick`**)
-    * make backup copies of the stick; probably best give each backup
-      copy a dedicated filesystem label so you know which one is which
-
-* To use the main key, set **`export GNUPGHOME=/media/liw/usb-stick`**
-  for key signing, importing signatures, creating new subkeys
-
-* For everything else, don't set the environment variable
-
-* GnuPG sometimes starts **background services**; you should **kill
-  them** when switching between keys, or you'll be confused
-
-    * **`gpgconf --kill gpg-agent`**
-    * **`gpgconf --kill dirmngr`**
-
----
-
-Using a USB stick: moving main key
-=============================================================================
-
-* Create your PGP and subkeys normally on your laptop, mount your USB stick
-
-    * Mount point it something like **`/media/liw/usb-stick`**
-
-* Export secret subkeys to a file (on laptop)
-
-    * **`gpg --export-secret-subkeys YOURKEYID > secret.key`**
-
-* Move the laptop's GnuPG stuff to USB stick.
-
-    * **`mv ~/.gnupg /media/liw/usbstick/gnupg`**
-
-* Import the exported keys to laptop
-
-    * **`gpg --import secret.key`**
-    * this creates a new **`~/.gnupg`** directory; you may want to
-      configure it
-
-* Check results: **`gpg -K`**
-
-    * should show **`sec#`** to indicate missing main secret key
-    * should show **`ssb`** to indicate secret subkey being present
-
----
-
-Legalese
-=============================================================================
-
-Copyright 2019 Lars Wirzenius
-
-This content is licensed under the Creative Commons
-Attribution-ShareAlike 4.0 International ([CC BY-SA 4.0][]) licence.
-
-[CC BY-SA 4.0]: https://creativecommons.org/licenses/by-sa/4.0/
-