Big Lumber PGP key listing

Created by Steven Baltakatei Sandoval on 2021-06-29T19:30+00 under a CC BY-SA 4.0 (🅭🅯🄎4.0) license and last updated on 2023-06-03T12:14+00.

Edit(2023-03-04T14:17+00):Updated ikiwiki blog repository URL.

Update(2023-06-03): Add reboil.com wiki links.

Summary

I updated my PGP key listing on Big Lumber.

pub   rsa4096/0xA0A295ABDC3469C9 2017-10-11 [C] [expires: 2022-07-08]
      Key fingerprint = 3457 A265 922A 1F38 39DB  0264 A0A2 95AB DC34 69C9
uid                   [ultimate] Steven Sandoval <baltakatei@gmail.com>

Background

Key origin

In 2017, past-me created an OpenPGP key using GnuPG (link). It is an rsa4096 key which, at the time, was I understood was the recommended method used by signatures used to sign software like Debian.

I intended to create a long-term method of asserting my identity to others in a decentralized fashion. Since then, I've learned of other tools (e.g. minisign ) whose advertised value is based on their narrower application scopes and the simplicity (see "Complexity is the worst enemy of security"). However, the effort required to maintain my PGP key is relatively minimal. I just have to use it. Anyone interested in verifying digital signatures for files I create/modify can do so with the appropriate software. That's the beauty of software designed with decentralization in mind. You can download the git repository of this blog and use git (currently git version 2.20.1) to evaluate the digital signatures indicating that I composed this message. I'm aware of cryptography people who have opinions and would probably try to sway me to use some other scheme but what I have works.

Example use-case in fiction

Basically, past-me wanted the ability to establish a secure remote communication channel with someone who I might only be able to meet in-person for a very short period of time. I loved seeing this scenario portrayed in one of my favorite books, Anathem by Neal Stephenson. In the quote below, the narrator and his colleagues are being collected into a vehicle by military personnel in order to evacuate following a disasterous event. They have only a matter of minutes before they are physically separated for possibly a very long time. One friend, an Ita named Sammann, plays the role of information technology consultant.

A young female Ita came in, followed by a very old male one. They stood around Sammann for a few minutes, reciting numbers to one another. I fancied that we were going to have three Ita in our cell, but then the two visitors walked off the coach and we did not see them again.

The narrator does not explicitly explain what occured but I infer that Sammann performed a public key signing party with the help of some voice recording device. All that is necessary is that a person record a key fingerprint (consisting of a large number) and remember who gave them that number.

Current usage

My PGP key uses rsa4096 which produces prime-number signatures) that are bulkier than elliptic curve signatures but they satisfy my need to sign my blog posts. I occasionally use it to encrypt files but for regular backups produced by bash scripts running on small devices (e.g. my personal time server, my environmental sensors) I run age (pronounced "ah-gay").

My signed blog posts are currently my primary method for maintaining my digital identity under my terms. Additionally, I publish this blog under the reboil.com domain, which I own; I make use of the fact that domain name space is a limited resource, especially for .com top-level domains. If anyone wanted to impersonate me to someone aware that I used reboil.com, they'd have to take over that domain somehow. Also, the Internet Archive would hopefully keep my blog post history occasionally secured.

Big Lumber key upload

One auxiliary function of PGP keys is to sign other peoples' PGP keys who may be interested in establishing their own digital identity. Due to the COVID-19 pandemic I have not wanted to risk attending Linux conferences to try and meet others to do so.

However, if someone wanted to meet me, they could invite me to sign their PGP key. I'd be willing to have lunch or something. For that possibility, I am creating an entry on Big Lumber, an older website used by people interested in meeting other people to sign keys. I live in the area of Vancouver, Washington.

I'm adding a link to this blog post in my new listing. Like previous listings, I am setting an expiry date at the end of this year. I'll make another listing in 2021.

Using my key

The rest of this blog post is optional reading.

I will illustrate one use case for my public key: verifying that this blog post was signed by my public key.

Importing

If you want to import my minimal public key to your GNU/Linux systems, save the .asc file at this link to baltakatei.asc and then run:

$ cat baltakatei.asc | gpg --import

My current version of GnuPG is 2.2.12.

Verify Git commits

With Git version 2.20.1, and GnuPG 2.2.12, running the following commands will let you verify this website's git repository. This assumes you've imported my public key into gpg as described earlier.

$ git clone https://reboil.com/gitweb/BK-2020-08-1.git BK-2020-08-1
$ cd BK-2020-08-1
$ git submodule 
$ git log --show-signature

Note, the URL to this website's git repository should be located at the bottom of this page.

If git and gpg are playing nice, you should see text resembling the following:

commit cfbbabc7326257bd15ff06245b410c16bbf66a05 (HEAD -> master, origin/master, origin/HEAD)
gpg: Signature made Tue 29 Jun 2021 01:44:23 AM GMT
gpg:                using RSA key 38F96437C83AC88E28B7A95257DA57D9517E6F86
gpg: Good signature from "Steven Sandoval <baltakatei@gmail.com>" [ultimate]
Primary key fingerprint: 3457 A265 922A 1F38 39DB  0264 A0A2 95AB DC34 69C9
     Subkey fingerprint: 38F9 6437 C83A C88E 28B7  A952 57DA 57D9 517E 6F86
Author: Steven Baltakatei Sandoval <baltakatei@gmail.com>
Date:   2021-06-29T01:44:02+00:00

    chore(posts):sed replace baltakatei.com link (https -> http)

commit 0f280e02635f3607a95ce09e5eca6c96da302ef1
gpg: Signature made Tue 29 Jun 2021 01:36:30 AM GMT
gpg:                using RSA key 38F96437C83AC88E28B7A95257DA57D9517E6F86
gpg: Good signature from "Steven Sandoval <baltakatei@gmail.com>" [ultimate]
Primary key fingerprint: 3457 A265 922A 1F38 39DB  0264 A0A2 95AB DC34 69C9
     Subkey fingerprint: 38F9 6437 C83A C88E 28B7  A952 57DA 57D9 517E 6F86
Author: Steven Baltakatei Sandoval <baltakatei@gmail.com>
Date:   2021-06-29T01:36:10+00:00

    feat(posts:20210629):blog post about devoe thermo textbook

commit ba29902a9234e6bf3b84362b009fd3697580d088
gpg: Signature made Tue 29 Jun 2021 01:09:20 AM GMT
gpg:                using RSA key 38F96437C83AC88E28B7A95257DA57D9517E6F86
gpg: Good signature from "Steven Sandoval <baltakatei@gmail.com>" [ultimate]
Primary key fingerprint: 3457 A265 922A 1F38 39DB  0264 A0A2 95AB DC34 69C9
     Subkey fingerprint: 38F9 6437 C83A C88E 28B7  A952 57DA 57D9 517E 6F86
Author: Steven Baltakatei Sandoval <baltakatei@gmail.com>
Date:   2021-06-29T01:09:00+00:00

    chore(posts:20210618):Add updated PDF link to glyph hunt article