From: W. Trevor King Date: Mon, 30 May 2011 19:44:23 +0000 (-0400) Subject: Add openpgp2pem section to Monkeysphere post. X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=558e08445e89de13cdbd88ef30e176cd1b890044;p=blog.git Add openpgp2pem section to Monkeysphere post. --- diff --git a/posts/Monkeysphere.mdwn b/posts/Monkeysphere.mdwn index 07e329b..a881f60 100644 --- a/posts/Monkeysphere.mdwn +++ b/posts/Monkeysphere.mdwn @@ -54,7 +54,7 @@ Maintaining a host SSH key Import a SSH key with $ monkeysphere-host import-key /path/to/secret/key ssh://server.example.net - ms: host key imported: + ms: host key imported: pub 2048R/01234567 2011-05-28 uid ssh://server.example.net OpenPGP fingerprint: 0123456789ABCDF0123456789ABCDF0123456789 @@ -119,10 +119,8 @@ Validating HTTPS connections ---------------------------- The OpenPGP side of this is similar to the SSH protocol, with public -keys for `https://server.example.net` etc. stored in your keyring. As -far as I can tell, there is currently no way to print the key -fingerprint for a given host (analagous to `sshfprs-for-userid`), but -there's a neat little server `msva-perl` that checks your trust in a +keys for `https://server.example.net` etc. stored in your keyring. +There's a neat little server `msva-perl` that checks your trust in a particular (*context*, *peer*, *PKC type*, *peer type*, *PKC data*) tuple (e.g. (`https`, `server.example.net`, `x509pem`, `server`, `cert.pem`)), which you can do by hand (via `msva-query-agent`). @@ -130,6 +128,23 @@ There's also a XUL extension (works in Firefox and related tools) that uses the `msva` server to validate HTTPS connections automatically. Nice. +If you don't want to use the the validation agent and plugin, you can +verify keys by hand using `openpgp2pem` (this patch has not yet been +accepted upstream). + + $ gpg --export 'https://server.example.net' | openpgp2pem | openssl rsa -in /dev/stdin -pubin -text + Public-Key: (1024 bit) + Modulus: + 00:ae:0b:... + Exponent: 65537 (0x10001) + writing RSA key + -----BEGIN PUBLIC KEY----- + ... + -----END PUBLIC KEY----- + +Compare the modulus and exponent with those listed for the public key +offered by the target server. + Packages --------