Contents

  1. Public Keys and Certs
    1. My GPG Key
      1. Download
      2. Copy and Paste
    2. My CA cert
      1. How to Verify
        1. Get secure copy of fingerprint
          1. Copy off the student machines
          2. Check the student lab
          3. Instructors and Staff Only
        2. Install the CA cert in your browser
      2. Download

Public Keys and Certs

This includes my PGP Key and the Cirtificate Authority (CA) that I use to sign SSL certificates for some web servers.

My GPG Key

Download

[ pub.key ]

Copy and Paste

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.4 (GNU/Linux)

mQGiBDu+PoMRBACM5ocrHcQp8ugdr09OAwBfJS1iaxi0ecXtDlX+YnRCDoOX87D/
Sxg9BdS/lQh3nf6Evila7debceU12D57PdHEW4Bgq2GL1PUG2uajTRtMFRC13eUo
Hqpe2Nsir8VX1o2xBRFNyXK021MoeVnNKCCOXkrSCxn4p+R65leRwECxFwCg9Vpx
XbLMZqDBnKD0ZG+4EuFPWSEEAIJY2YmWRNQkvtNL4j+4X3Cie6oPcsIKAxdR0/ko
LR6BEowit0Rq8ruGNA3Qw9ULIEU4om9Zrcx/+Z5ag3grSBxtHUdF8JtD58sbFBtd
aGKbwUWOiD9FY9gEPBkGuhEH2Rr9tSKwywqpFghXLYls9va93yhBMmCUeze4o31O
tYuMA/9G88r+475IJ9+RKepTH0DAcCxhZmgqHdgmDQiUI1cANFfON+sc3Tr5A5tu
SH8N0WBhMy2yI/yniSrHirs0Rt07xOLyPJFRVhhBLoXhlrAn8/XwtC777Y96K4OF
jcLn9P7GmcS8ebrIQMhdK8IKrPWAIehXRFRZQlA9piNqWFM39rQ1RHlsYW4gTWFy
dGluIChTQ0NDIFVuaXggQWRtaW4pIDxkbWFydGluQHNjY2QuY3RjLmVkdT6IXgQT
EQIAHgUCQh03SQIbAwYLCQgHAwIDFQIDAxYCAQIeAQIXgAAKCRB+FuF5B3+MKpF9
AJ9XXCeQR/li1YuZcxZGyBzSshIXQwCgteJXHTiy50BWRYMxAHILE4T0j2mIcwQQ
EQIAMwUCREU2jAWDAeEzgCYaaHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBo
cD9pZD0xMAAKCRDSuw0BZdD9WNqMAJ4w/3E2OT81k/C83bMYngoUOctCmgCcDtw0
Y1RbwLFFzSxUM1GlT41zyq25AQ0EO74+hRAEALVhxvQ/L6uUlPD3g7+JEM3JZlrl
WGsPhw/YkuBL8oDnAtOqnBypbdP8GiSRv/U2gGICDPS6DBs8wjDNPW719eGyOn9q
b0FX4cgOIq8bhyU6i1ksH6dqJgBUUVaS5kdo2BAI3++VI0e1oIoHmfRZOUvN6g3n
4d9fRM+nTwqSXKMfAAMFBACeeoYDniZL/SsfzVZZKOoVTYbqEm0PsIWfo3Lojkf6
29u7co/84EaDlz+AL3DucGlvzN1u8fMAXdti69JWWyix1fowGX6tWPTDNDkKbM2B
+1LHWcbSZorGl5beXjafrO1RqFOqbhiwbAyOltC072IM2t1igsY3VrnZD/FKNbIi
t4hGBBgRAgAGBQI7vj6FAAoJEH4W4XkHf4wqjC8AoK7bhqvw47iJAWcTq6YoaJY8
/rJZAJwLB4q76W4lT7VsUASeJ0LautaZSLkBogREV/oHEQQAnBik1PKNGZ3gtFKn
CskMLbv6Hi6bRPA7K+q8dM/hZvD1NUnv4PInR/XWNSQW244I+ILGulx4sXAhqlrE
JbARnLTy7ogKb9nprm/ZVCOGklzExVK5kRhOlY3RgCPjZMBi/YFCZr/yUJhyMWk9
RSq7jD9cgmgAIZVGb9E0hxMWlVsAoI158okm9DcqhjzRvsWERxcckK7XA/9tdoWZ
EL9aoYxcJ+B6gyyFVB4pCiAFYhS85/tLCbCD+Fbd/JEf28XlhczWYNFXUAjepv8M
oglvsbLQ98aQul6du92N5I3AIVVV1B3Hg3aPz75EThsCZ6202Gf1iiRmz0XLY3zv
un76ID2Rma/5vG6CEbdYLeZJX0CjTfAaisCiIwP/eroqnJ24AcwWTlcPI1e9Vt+o
rOYZbLCbxCoOeP05uXrV5xZXsL3yxvYW2PI5Syg16MZo9Za8R3nSjJ0aexqO4LuB
DjjnjhCcCeMocJaMLaBx8ddnuUd1xWafusz7z3gW43xDcbrTjahVJRoRDmrkEVtB
X874WBe7sojIMinKhy2IkQQYEQIACQIbAgUCRK7ltgBSRyAEGRECAAYFAkSu5ZcA
CgkQsqbMY21W5ujooACeNdFEZT9uCGzC2I/TiHCEwDdOPKAAn2cJJ/WoxhmEVMHo
jOivSEBt8td0CRB+FuF5B3+MKnplAKDsahIEO/7sDkZQ6UQhtmm8f1U9OwCdHzP/
B+hkFRkELUNqShKLXHJoiLA=
=A2iR
-----END PGP PUBLIC KEY BLOCK-----

My CA cert

Some web servers have SSL but we haven't sprung for Thawte or Comodo or Verisign to sign the SSL keys. In this case, I've signed it as though I'm a CA. If you download and install the file below, your browser will stop complaining about those sites.

/!\ Please verify before installing. Installing a CA cert without verifying it is like publishing all your credit card numbers on the internet. Seriously.

/!\ /!\ Do you trust me? If you install my CA cert, you'd better. If I'm evil, I could impersonate your bank's web page and steal all your money. If I'm incompetent, I could let baddies steal my master key and then they could impersonate your bank's web page and steal all your money. No fooling.

How to Verify

Get secure copy of fingerprint

Because the goal of a a CA cert is to verify that the person running a web server is who they say they are, you cannot trust a web server to tell you that a CA cert is correct. An email or FTP server is also not a good source of a fingerprint.

At the absolute minimum, a secure fingerprint should not come over any computer network especially the internet. Getting the fingerprint from a human in person is probably the best way to get it. The level of assurance you require is up to you. Here are some options:

Copy off the student machines

We have installed my CA cert on the student machines. If you look in the settings of the web browsers on a student net machine, you'll find my CA cert. It's probably under 'SCCC' or 'Dylan's CA'. You can then view or examine the cert and copy the SHA1 fingerprint onto a piece of paper or a text file on removable media.

Do NOT email it to yourself. Someone could intercept and alter that email.

Here's the instructions for Firefox (I don't have IE, sorry!)

  1. Open the "Preferences" menu
  2. Select the "Advanced" section
  3. Click on the "Security" tab
  4. Click "View certificates"
  5. Click the "Authorities" tab
  6. Look for 'SCCC' in the list of Certificate Names
  7. Click "Dylan's CA"
  8. Click "View"
  9. Copy out the SHA1 fingerprint

Check the student lab

There should be a business card taped to the wall in the student lab with the SHA1 fingerprint on it. The student lab staff probably won't know about SSL and CA certs, but they should let you read the card on the wall. Take a digitial photo with your phone if you don't want to copy out 40 hexidecimal numbers.

Instructors and Staff Only

If you are an instructor or staff member, stop by my office. I can give you a card with the fingerprint on them. I can actually hand you the card, so that means you know 100% that the fingerprint is from me.

I also have one of the cards taped up outside my window.

Install the CA cert in your browser

I don't have IE (I'm running Linux here), but the steps should be similer.

  1. click the link below
  2. click on "view"
  3. look at the SHA1 fingerprint and compare with the non-electronic fingerprint.

  4. If the fingerprints DO NOT match, cancel everything and alert IT Services. That would indicate that hackers are taking over our web server and we'd like to know about that.

  5. If the fingerprints do match, continue installing the CA cert
  6. close the "view" window
  7. select "Trust this CA to identify web sites"
  8. hit OK

Download

http://www.seattlecentral.edu/~dmartin/dylan_ca.crt

Public_Keys_and_Certs (last edited 2008-12-29 16:49:10 by dmartin)