Marble Horse
Project overview
Team members

[Marble Horse]

Patch repository

About this site
Privacy policy

Hosted by:

Marble Horse Free Software Group
Key Generation and Management Procedures

Members of the Marble Horse Free Software Group (MHFSG) use the following procedures in creation of their DSA/ElGamal key pair using GNU Privacy Guard. This procedure is posted to aid others in identifying keys claiming to belong to MHFSG members which clearly do not, as well as to demonstrate the standard of quality the MHFSG applies in its dealings with cryptographic technologies.

Only members of the MHFSG should utilize this procedure verbatim in key creation. Non-members are welcome to adapt this procedure to meet their own needs (we do ask that you omit the '[MH]' tag from your key information; we use this tag to more easily identify MHFSG member keys).

Acquiring GNU Privacy Guard

Key generation will be performed on a platform supported by GNU Privacy Guard (unsupported architectures and operating systems will not be used for key generation). Sources or binaries shall be obtained from a trusted source, such as the primary GNU Privacy Guard distribution site ( Sources and/or binaries will be validated against provided cryptographic signatures and hashes. Recent versions of GNU Privacy Guard will be used.

Security of Build System

In the event that GNU Privacy Guard is being built from sources, the build will occur on a reasonably secure system and a proven toolchain will be employed. All provided tests will be executed to verify proper program function prior to use in key generation.

Generation of Key Pair

Key generation will be performed in an interactive manner. MHFSG members follow these 13 steps in generating their keys:

1. Execute the following command from the command-line:
gpg --gen-key

2. Select option 1 to generate both DSA and ElGamal keys.

3. Specify keysize of 1024 bits.

4. Specify key expiration period of 0 (key does not expire).

5. Specify 'y' (yes, this is correct).

6. Enter full name. Include middle initial only if you normally include your middle initial on official documents and in your written signature (example: John Doe or John Q. Doe).

7. Do not enter an e-mail address.

8. Specify as a comment the following three pieces of information (in this order): common nickname (IRC handle or similar), the lettering '[MH]', and a statement about your current citizenship status (example: "Johnny [MH] Citizen of the United States of America").

9. Verify information is correct, then select 'O' (Okay).

10. Enter a secure passphrase (one you can remember). Enter the same passphrase a second time. Do not write this passphrase down or store this passphrase by insecure methods.

11. GNU Privacy Guard may prompt you to enter some keystrokes or wiggle the mouse to generate additional random bits for use in the key. Once the key generation has been completed, you will see the message "public and secret key created and signed."

12. To verify your secret key fingerprint and public key fingerprints match, perform the following two commands and compare their output:

gpg --fingerprint --list-secret-keys

gpg --fingerprint --list-keys

13. To verify your public key is self-signed, perform the following command and verify there is a 'sig' line with the same key ID as the 'pub' line:

gpg --list-sigs

Generation of Key Revocation Certificates

Prior to real use of MHFSG member keys, the member shall generate and securely store a Key Revocation Certificate (KRC). Key Revocation Certificates are used to flag a key as inoperable or compromised; they must be generated prior to need (you need the passphrase and secret key to generate a KRC; people often use their KRC when the secret key or passphrase has been lost).

Key Revocation Certificates shall be generated on a reasonably secure machine. The KRC file shall be printed and sealed in an envelope; the envelope will be placed in a physically secure location. Subsequent to printing of the KRC, the KRC file shall be destroyed.

The following procedure shall be used for the generation of a Key Revocation Certificate. Further expected processing of this certificate has been discussed in the prior section and shall be omitted from this procedure.

1. Change directory to your home directory or other secure directory.

2. Obtain and note your key ID using the following command:

gpg --list-keys

3. Execute the following command on the command-line:

gpg -a --gen-revoke {Key ID} > KRC

4. Verify you have selected the correct key and enter 'yes' to generate a KRC.

5. Enter passphrase.

6. A KRC has been generated and written to a file, 'KRC'. Process this file as neccessary and remove.

Key Backup Procedures

Backup procedures for both public and secret keys are left to the discretion of individual MHFSG members. All members are expected to have at least one backup of their secret key on durable medium (such as CD-ROM). All backups are to be stored in physically secure locations.

Notification of MHFSG Members of New Key Availability

After key generation, key revocation certificate generation (and processing), and secret key backup, the keyholder shall notify other MHFSG members to the existance of this new key (so as that it may be added to their keyrings and updated information may be placed on the MHFSG website). This notification should occur through standard online means, such as e-mail and IRC, and may also occur via telephone or postal mail as needed.

Posting of Keys to Public Key Servers

After one or more other MHFSG members have examined your key and have determined it has been created properly based on this specification, it should be posted to the and public key servers. Posting of your key to keyservers helps to propogate your key information in a manner which helps to deter denial of service and damage to the public key infrastructure, as well as providing a simple mechanism others may use in obtaining your key.

The following procedure may be used in posting your keys to a public key server (substitute the name of the desired keyserver for '{keyserver}'):

1. Obtain and note your key ID using the following command:
gpg --list-keys

2. Post your key to the keyserver using the following command:

gpg --keyserver {keyserver} --send-keys {key ID}

3. In approx. 48 hours, verify your key information has properly been received by the keyserver and has been propagated to other keyservers. Resend to keyservers as needed.

Key Recovery

The members of the Marble Horse Free Software Group do not utilize the key recovery features of PGP and GNU Privacy Guard. As result, our keys do not contain Additional Decryption Keys (ADKs).

Administrative Contact

Questions or concerns regarding these procedures should be directed to Jacob Moorman at

Last updated: 2000AUG24JM01

Content Copyright (c) 1999-2001 Marble Horse Free Software Group.
All trademarks are property of their respective owners.