# [gardenbreak] 1: Put a face on

March 7, 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sitting here with my carefully written triplicate hardcopies,
I feel more than a bit better. I back-of-envelope calculated
the bits of entropy in my old shallows-of-imagination
passphrase, and it came out to somewhere between 23 and 44
bits. Ouch.

Then I try to actually make the relevant move... And find I
can't bring myself to click the 'change passphrase' button.
All of human psychology rebels. This is my most intimate
connection to my computer, the secret only it and I know. The
thing I've told to it and to no human ever. And I mean to
wipe that away with an utterly impersonal text string? A
machine generated nonsense? Blasphemy! I won't even remember
it fully until I've used it for a week. I'll be tied to a
piece of paper, constantly afraid of losing that and all my
access with it.

*click*

**Plot 1: You are you.**
Not whoever you say you are, but... A crypto key. Just that.
Not an email address, not a face, not a URL, or a username.
Welcome to the wide wonderful world of PGP. (Not that it's
the only horse in this race, but out of the gate it's the
simplest way to get things working.) What you signed, you
wrote. Everything else is questionable. Normally this alone
is a rabbit hole of almost unbearable proportion for the
average user. But normally people attempt software
'integration' at a level that is frankly infeasible right
now. I'm taking a different tack, at least temporarily.

This seems like overkill, doesn't it? We're used taking a
combination of acts-like-them and centralized authority to mean
identity online. But that means doing a big old "I here am me
there" dance for every occasion of platform drift and risking
impersonation at most turns. AND that the only verification
on what you post is the site authentication. Faked emails,
faked FB posts, apps we didn't remember authorizing, ... it's
not a small problem. Also I'm philosophically opposed to
'acts like them' as an identity measure, since it inhibits
change.

**Step 1: Rabbit, meet hole.**
Build a GPG key attached to a good passphrase. If you already
have a GPG key, any decent client should let you change the
passphrase. If you don't... I'm sorry, this will be an
annoying part.

Go here: https://www.gnupg.org/
Linux: apt-get or yum install or whatever you do 'gpg'.
Windows: install gpg4win

And I'm sorry, but it's probably going to be really annoying. I
don't have a nice answer to that. Take a deep breath and follow
tutorials; thankfully you only need to get as far as generate
a key.

Once you have a key, upload it to keybase.io. (And at least one
old-fashioned keyserver, but still, keybase is a good place
to start for this.) But do everyone a MUCH bigger favor and
**DO NOT put a private key on keybase.io**. Ever. Which also
means not using keybase to generate the key. Yes it's a neat
tool, and so very convenient, ... and takes your private key
data-possession. Don't let it out. It should only touch
computers that are trusted to act as you, to speak as you.

So far so normal... This is the point at which most people talk
rabbit hole, and suddenly your entire infrastructure is one
giant headache of new problems, because you touched /mail/
and that always goes wrong. Besides, we want to deal easily
with crypto on /everything/, not just mail, and preferably
without hitting the command-line all the time. Or trusting
keybase.io with privkeys. I use enigmail, I like it fine, but:

I was looking for a seahorse-to-gedit plugin. And apparently
there used to be one, but... bitrot. So. Looks like for a
text editor that handles gpg operations relatively cleanly,
the choice atm is http://www.geany.org/ with geany-plugin-pg.
I like it better than fighting with a command-line or trying
to find plugins that work in Firefox for more than ten
minutes between website updates before someone gets tired of
trying to 'support' gmail. The plain old text input box never
changes. I can cut-paste just fine. So an editor that can
handle encrypt/decrypt/sign/verify is enough. Install, enable
plugin, click Tools->GeanyPG->Sign. Yay! (Turning on
Document->Linewrapping helps too.)

As much as I would love everything scripted and integrated and
pretty... This works. The requirement that every (large)
thing I write be signed as written by me can thus be covered.
(Although it temporarily won't be, realistically, because
iPad and Android need covering.) Making the results of that
non-ugly and taking care of signatures for smaller items
(like tweets) is another problem for another day.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJW5zSDAAoJENnrcPCV5+y/RVUQAK4ZT1mBpDvOi3m8wSdyjfGJ
My991GUXtWDynEtU1uWYCt46jV1vlTwBO8LJ19QfY8KwsZej0PWmU9Bt450FLOyV
4yq8gijcrvPjTR0lbjr38YxZOao0bRoVh+gxuGNJhNuu1PXVoixkQx62IFojSt0P
wr9tOZ5/NdYUrzhgZLVjYYP6RhdpptkrI2ilSxMEtNR6g4GbZ3uZFA5R0ZUv40TS
rgj6KZxDhlVwcbROB6XE9YvxQc4e83J7AmTWXM7P1ZZozDUxgORgYjRY56CNTdLA
/933DuVR6O2YNZSp6kT+97ro+Z3flKdKkj84x7Z/0+ImOI2tZgFk7kekEyUXqoya
parU5nMz/NSQ8NU1+LJU1zNSMVG9zgLyltwhekVaa3oY/O0cx+4g0cixyQYgqWVD
JyuUQ/Xg3NSCDUXamIM8j1sKuRzSmGrVWV2Obg6+ywEpTS4FYrKLPOrNfldjyA69
nCm3SVLYfkSrW8PVhan+RroCKq5X9jKrtiXHIA57xd28ETyS1gCoVBUAVAQRxjQC
T17XVa2KBQRA0qcjKEfhL7L9fJEA5DcaO3r+1oxRnI6+ExeDMapdkpo/fkDrujQ/
yBEK+vKXkpOUwEfivZWnu9FYqHs28Yen/oUA78rBLrwgA+TCv8+XuDeBKeoPVb1u
fY4u4SBiEy4svuuR/RPc
=jJVP
-----END PGP SIGNATURE-----


[gardenbreak] 1: Put a face on - March 7, 2016 - Kim Reece