McAfee MEJCAE-AM-DA Product Guide - Page 49

Working with Digital Signatures Validity and trust Checking a key's validity Viewing signatures on a key To view the signatures on a key use the --key-list option with the --with-sigs modifier. E-Business Server displays all the keys on your keyring and then, for each key, the signatures on the key. It also displays the level of trust you have in each key and its validity, and verifies the signatures. ebs --key-list --with-sigs E-Business Server lists the keys on your keyring with the signatures for each key. The signatures are represented with "sig" in the Type column. For more information on the variations of the --key-list option, see Viewing your keys on page 28. Getting more information about signatures on a key You may want to display information about a signature on a key, such as the signature's creation date or expiration date. Use the --sig-detail option with the --signer modifier to list information about a signature on a key. ebs --sig-detail --signer For example, if there is a signature belonging to David Gibson on Odette Richards key, then I can view information about David's signature by entering the following command: ebs --sig-detail "Odette Richards" --signer "David Gibson" E-Business Server displays information about David's signature. Viewing a key's fingerprint You can check that a certificate is valid by calling the key's owner (so that you originate the transaction) and asking the owner to read his or her key's fingerprint to you and verifying that fingerprint against the one you believe to be the real one. To do so, both you and the key's owner use the --key-detail option to view the key's fingerprint: ebs --key-detail [--fingerprint-view hex|words] This command instructs E-Business Server to display the key with the 40 character digest of the public key components (RSA Legacy keys have 32 character fingerprints). Read the fingerprint to the key's owner to see if the fingerprints match. Using this procedure, you can verify and sign each other's keys with confidence. This is a safe and convenient way to get the key trust network started for your circle of friends. Note that sending a key fingerprint via email is not the best way to verify the key because email can be intercepted and modified. It is best to use a different channel than the one that was used to send the key itself. A good combination is to send the key via email, and verify the key fingerprint via a voice telephone conversation. Some people even distribute their key fingerprint on their business cards. The default format of a fingerprint view is a hexadecimal display. If you would prefer to display the fingerprint as a word list, set the --fingerprint-view option to words. This can also be set in the E-Business Server configuration file. The word list is made up of special authentication words that E-Business Server uses and are carefully selected to be phonetically distinct and easy to understand without phonetic ambiguity. The word list serves a similar purpose as the military alphabet, which allows pilots to convey information distinctly over a noisy radio channel. If you'd like to know more about the word hash technique and view the word list, see Biometric Word Lists Granting trust for key validations Trust is confidence in another person's ability to validate a key. If you designate someone a trusted introducer, then all keys validated by the trusted introducer are considered to be valid to you. 47 E-Business Server™ 8.6 Product Guide