If the user's account status changes, the Faculty administration will automatically inform the user by email. In particular, notifications are automatically sent out about account creation (or renewal), impending account cancellation or account (un)blocking. To increase the credibility of these messages, the Faculty Administration signs them with its PGP key. On this page we describe how users can install the Faculty Administration's public key into their GnuPG and PGP key databases.
Notice
If you use PGP without a basic understanding of its mechanism, you will not increase the security or trustworthiness of your communications. On the contrary, you will expose your key to a high risk of misuse with all its consequences. It is safer not to use PGP at all than to use it badly. You can increase your knowledge of PGP, for example, by visiting the GnuPG project. You can also find much more information and links on the OpenPGP website.Faculty Administration Public Key
The Faculty Administration public key is available at https://fadmin.fi.muni.cz/noauth/fadmin_key.pub. The key will be transmitted over a secure connection, which limits the possibility of it being spoofed if you already have a trusted Faculty Administration SSL certificate installed. The public key fingerprint is:94A1 8BE2 DDB4 06CC 3D00 9DF9 E237 46F8 6D44 85C8
You can also verify the fingerprint over a secure connection at
https://fadmin.fi.muni.cz/noauth/fadmin_key.fpr You can also use an unsecured connection:
https://fadmin.fi.muni.cz/noauth/fadmin_key.pub
h ttps://fadmin.fi.muni.cz/noauth/fadmin_key.fpr
Installing the key in GnuPG
Download the public key to a local directory in the filefadmin_key.pub
and perform the following sequence of commands. Add the Faculty Administration key to your public key database.
$ gpg --import fadmin_key.pub
gpg: klíč 6D4485C8: veřejný klíč "Fakultní administrativa FI MU <fadminmBPe4l2jc@fi5_urRCqZM.muni79I-q69i4.cz
>" importován
gpg: Celkový počet zpracovaných klíčů: 1
gpg: importováno: 1
$ gpg --edit-key fadmin
Příkaz> fpr
pub 1024D/6D4485C8 2003-06-24 Fakultní administrativa FI MU <fadminT7i8yIhe4@fiCVqgj=Awu.muni5KJ4v5dX_.cz
>
Primární fingerprint klíče: 94A1 8BE2 DDB4 06CC 3D00 9DF9 E237 46F8 6D44 85C8
Příkaz> quit
Verify that the fingerprint of the key is the same as
above. If it is not, the key is either fraudulent or has been corrupted in transit. In this case, delete it immediately:
$ gpg --delete-key fadmin
Smazat tento klíč ze souboru klíčů? (a/N) a
If the fingerprint is correct, the key is already installed and GnuPG will use it to verify signatures from the Faculty Administration. However, after each verification, it will probably issue a warning that the key is not trusted. The trustworthiness of PGP keys is based on the so-called
Net
of Trust. You can either mark it as trusted or sign it with another trusted key. Here is how you mark a key as trusted for your own use, but do not allow anyone else to consider the Faculty Administration key trusted based on your trust. First, you must mark the public key of your secret key as trusted.
$ gpg --edit-key vas_klic
Tajný klíč je dostupný.
Příkaz> trust
Prosím rozhodněte, nakolik důvěřujete tomuto uživateli, že správně
verifikuje klíče jiných uživatelů (prohlédnutím cestovních pasů,
kontrolou fingerprintů z různých zdrojů...)?
1 = Nevím nebo neřeknu
2 = Nedůvěřuji
3 = Důvěřuji částečně
4 = Důvěřuji úplně
5 = Důvěřuji absolutně
m = zpět do hlavního menu
Vaše rozhodnutí? 5
Opravdu chcete nastavit pro tento klíč absolutní důvěru? (a/N) a
Příkaz> quit
Now sign the Faculty Administration key locally (for your own use - not exportable) with your secret key.
$ gpg --edit-key fadmin
Příkaz> lsign
Opravdu podepsat všechny id uživatele? (a/N) a
Podpis bude označen jako neexportovatelný.
Skutečně podepsat? (a/N) a
Musíte znát heslo, abyste odemknul(a) tajný klíč:
Příkaz> quit
Uložit změny? (a/N) a
Based on this signature, the Faculty Administration key will be considered trusted.
Installing the key in PGP
The procedure is very similar to using GnuPG. Due to the wider possibilities, we additionally recommend using GnuPG instead of PGP. Therefore, we will shorten the description in this section by adding some explanations that can be found in the previous section. Download the public key to a local directory in the filefadmin_key.pub
and add it to your public key database.
$ pgp -ka fadmin_key.pub
keyfile contains 1 new keys. Add these keys to keyring ? (Y/n) Y
$ pgp -kvc fadmin
Looking for user ID "fadmin".
Type bits keyID Date User ID
DSS 1024/1024 0x6D4485C8 2003/06/24 Fakultní administrativa FI MU <fadminORF0x2Gnd@fiZtrVwT9iF.muniRolsyvfos.cz
>
Key fingerprint = 94 A1 8B E2 DD B4 06 CC 3D 00 9D F9 E2 37 46 F8 6D 44 85 C8
Fakultní administrativa FI MU <fadminf3_Z=SHgd@fiYApLUsWe9.muni=HnS1=xUi.cz
>
1 matching key found.
Verify that the fingerprint written out is identical to the one
above. If it is not, delete the key immediately.
$ pgp -kr fadmin
Do you want to remove the whole key (y/N)? y
If the fingerprint is correct, the key is already installed and PGP will use it. However, it will probably not consider it trusted and will warn you every time it is used. There is only one general way we know of to mark a key as trusted in PGP: sign it with your own key.
Note: By signing a key, you are publicly stating your belief that the signed key actually belongs to the Faculty Administration - PGP does not allow you to sign a key locally only, so you may occasionally export this signature to a public keyserver. Only proceed to this step if you
really know you are signing the correct key.
$ pgp -ks fadmin
READ CAREFULLY: Based on your own direct first-hand knowledge, are
you absolutely certain that you are prepared to solemnly certify that
the above public key actually belongs to the user specified by the
above user ID (y/N)? y
You need a pass phrase to unlock your secret key.
Enter pass phrase:
Passphrase is good
Attach a regular expression to this signature, or
press enter for none:
Now the key is installed and PGP will consider it trusted.