• “Hi, I’d like to hear a TCP joke.”
• Dating is rough at the transport layer

And finally, a UDP joke:

I just got back from this year’s OpenStack Summit, which was a great experience. In addition to many fruitful sessions about OpenStack itself, a keysigning party was held. This was the first such session I’ve attended, and the use of PKI for signing/encrypting mail is something that’s only recently drawn my interest.

One thing that I find interesting is that there’s no central authority from which keys derive trust, unlike SSL in browsers. Instead, it’s a web-of-trust model. Individuals cryptographically sign each others’ public keys to denote trust in them. If you’ve verified my key, and I sign Bob’s key saying I’ve verified it, then, if you trust me, you can trust Bob’s key.

At the keysigning party, we used the Sassman Projected Method, in which we each stood up, presented something like a passport on the projector, and verbally verified that the list of key fingerprints compiled before the event was valid. (We also verified the MD5 and SHA sums of the list itself before beginning, so that we knew we were working with the same list.)

GPG setup notes

I’m not going to cover the basics, because myriad other sources already do a much better job. But a few helpful hints for your gpg.conf:

• You can set a default-key value if you have more than one key.
• Ensure that require-cross-certification is present

You may also want to set up a keyserver different from the default. Here is what I have:

keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=~/.gnupg/sks-keyservers.netCA.pem
keyserver-options auto-key-retrieve
keyserver-options no-honor-keyserver-url

This uses the SKS Keyservers pool, a pool of almost 100 keyservers that all exchange keys. More specifically, it selects the HKPS one, running SSL on port 443. To use this, you must grab their self-signed SSL certificate. (Note that the use of SSL is mostly to prevent a middleman from eavesdropping than tampering with your keys—that security comes through the keys themselves.)

The auto-key-retrieve option is so that when I get new email in mutt with a key I haven’t seen before, it will be fetched automatically. The no-honor-keyserver-url ensures that we always use our HKPS-enabled one, even if a key points to another server, so we ensure we stay on HKPS.

Keysigning Process

caff automates much of this. On Fedora, it’s provided by pgp-tools.

• After installing it, run caff once to have it generate a ~/.caffrc file.
• Edit ~/.caffrc to taste:
  • Make sure that $CONFIG{'owner} and $CONFIG{'email'} are set properly.
  • If your machine doesn’t run a properly-configured MTA, add a line to relay mail through a mailserver, like so: $CONFIG{'mailer-send'} = [ 'smtp.corp.example.com'].

caff maintains its own gpg.conf file, in ~/.caff/gnupghome/. You may want to customize it, or just symlink your main one to it. Partly because I missed exactly what was happening at first, I instead imported keys to my normal keyring, and just pointed caff to that keyring. I used -R to prevent it from fetching keys, and --key-file ~/.gnupg/pubring.gpg to pull from my normal keyring. This probably made things more difficult than needed.

One thing that took me a moment was how to look up a fingerprint. For example, if my key fingerprint is 5150 9442 00FE 3099 4CA8 D2EA E639 859C 2BE0 2E05, how do I look that up? It turns out to be simple: take the last eight characters (2BE02E05), prepend 0x, and search.

So my workflow was:

gpg2 --search-keys 0x2be02e05 # and import
caff -R --key-file ~/.gnupg/pubring.gpg 0x2be02e05 # and follow steps

Of course, be sure that the fingerprint matches, and that you’ve validated the person’s identity in real life before signing. Once you run caff, it will have you sign the key and email it to each address on file.

Other stuff

• I linked to the SKS Keyservers pool above. They’re so-named for running sks-keyserver, which appears to be the de facto keyserver software. There’s a newer one, Hockeypuck, under development. (Here’s an LWN article about Hockeypuck, which notes that it’s not yet at parity with SKS.)
• You can publish PGP keys in DNS, though it’s not clear to me how widely this is used.
• There’s something called the strong set, which Wikipedia calls “the largest collection of strongly connected PGP keys.” Here are some neat graphs of its size. The list of members is available.
• For optimal security, it’s recommended to use an OpenPGP SmartCard, so that the private key cannot be extracted. FSFE gives them out to members, and has some good instructions here.

Being an American, I have long tended to ignore accent marks on characters from other languages, assuming they are unimportant and mostly decorative. No need to be all fancy and type résumé when “resume” works.

That ended when I tried to show off my Spanish around New Year’s, wishing someone online a “feliz ano nuevo,” only to learn that I had wished them a “happy new anus”. It turns out that the accent mark is quite important in differentiating “ano” (Spanish for ‘anus’) from “año” (Spanish for “year”). Ever since, I’ve accepted that, while more difficult to type, it’s important to use the right characters.

I’m now taking Czech lessons at work, and wish to make sure that I don’t embarrass myself again. The Czech language has a lot of accented characters. But switching to the Czech keyboard layout is awfully confusing.

Thanks to Tomas for introducing me to the concept of the “Compose” key in Linux, allowing you to type , ‘, and a to get á. The ‘Compose’ key can be mapped to any modifier key. But it’s hard to find documentation.

To enable the Compose key on Fedora 20 (in GNOME): Open the Settings menu and select ‘Keyboard’. From the Shortcut tab, find ‘Typing’, and you can now choose a key to map the Compose Key to.

I chose the right Alt key, because I don’t use it.

To use it: Press your Compose key and release it. (You don’t have to hold it down.) Press a key corresponding to the accent, then the letter it should go over. For example, ñ is Compose, “~”, then “n”.

Here is an exhaustive list of possible characters, but here is a quick list of some common modifiers:

• ~ will do a tilde over the character, as in ñ.
• ‘ (single quote, next to Enter) will do a right accent, as in á
• ` (backtick, below escape) will do a left accent, as in è
• c will do a caron (as it is apparently called?), as in ž
• “ (double quote) will do an umlaut, as in ü
• , (comma) will do a cédille, as in ç
• <, 3 will form a heart (♥) — remember you need shift when typing the <

Remember, you don’t have to hold down the Compose key. Just tap it, then type the next character. I keep forgetting this and doing weird gymnastics trying to type.

There are many more characters you can type, like ə, Đ, ç, ø, plus some currency signs and numeric super/subscripts, but I’ll let you view the full list to find them.

Now, typing čeština is easy! Understanding it will still be a long battle for me, but I can type it!

I thought I’d post about the Zalman VE400 I’ve been using for a while now. The basic idea is that it’s a USB disk enclosure for a 2.5″ drive, but with a twist—it has a small LCD and keypad on the front, allowing you to create a directory of .iso files and pick one to export as a virtual CD/DVD. (It also supports some sort of hardware encryption, which I haven’t tried.)

I bought mine, along with a 120GB SSD. Installing the drive is quite easy. Just remove a couple screws on the enclosure, slide the disk into place (it’s literally that easy), and put it back together.

Rather than an extended narrative, I’ll do bullet points for the pros and cons.

Pros

• The virtual ISO feature. I bought it just for this. I use it all the time. It saves me from burning a ton of DVDs. I can plug it into a system, select an ISO file on the screen, and have the machine see a USB CD/DVD drive appear with that. And, since it’s on an SSD and connected via USB 3, it feels much faster than a normal CD/DVD would.
• You can use it as a normal hard drive, too. The ISOs go into a folder named _iso, and the rest is yours to use. You can select to present the thing as a CD/DVD-only, hard drive only, or both. (In which case it shows up as two devices.)

Cons

Where to start…

• The thing requires that it be formatted as NTFS to work. (They do have some firmware available that might allow the use of FAT instead, but it certainly doesn’t ship that way.) I have a Mac and several Linux machines, neither of which have native NTFS support. (For the record, getting NTFS write working on Linux is significantly easier than on a Mac.)
• The thing is fairly intolerant of filesystem fragmentation. I thought NTFS was supposed to somewhat reduce the impact of fragmentation. And I have an SSD inside, which doesn’t exactly require fragmentation, since seeks are practically free. But after filling this thing 2/3 of the way, I started getting an error, “>> DEFRAG <<“, whenever I tried to mount the latest ISO file. There is no documentation that seems to cover this, but it was clear what I had to do—defragment my solid-state drive, running NTFS, through Linux. (The “solution” to this, BTW, is to copy everything off of the drive, reformat it as a new NTFS filesystem, and copy everything back.) It was just incapable of reading the fragmented ISO.
• The keypad. Why, oh why, did they think having it be a flat piece of plastic was a good idea? It looks ugly, and it works poorly. The NewEgg reviews are full of complaints about the keypad not working. Mine works, but there’s zero tactile feedback, so you have to watch and see if the key registers. It’s just a horrible idea.
• There’s practically no documentation. Requires NTFS? Needs defragmentation? I got to figure those things out on my own or from others on the Internet.
• Firmware updates require Windows to install, so I have no means of applying them.

Summary

I gave this a 3-star rating on NewEgg, where the average rating is a 2-star review. My opinion has not improved.

However, I would buy this again if I lost it. Despite its many flaws and quirks, I’m yet to find anything else that offers the same functionality.