-----BEGIN PGP SIGNED AND TIMESTAMPED WEB-PAGE-----

The PGP "How'd You Do That?" Page

Part IIB: How Do I Check A Web Page With Compound Signatures?

This part of the tutorial has to do with how to go about checking the signature on a web page if the web page has a compound signature. As we discussed in Part I, it is possible, although not common, for a "compound" signature to exist. A compound signature is a signed document (or in this case, web page) that is signed again, usually by a time stamping service. You might also run across a page that is signed by two authors, which would also make a compound signature. With two embedded signatures, one is "wrapping" the other. Note this doesn't apply to detached signatures, in which you'll have two seperate signatures that verify the same page in seperate files. (Check David Ross' PGP Page for a discussion of signing and verifying web pages with detached signatures.)

We'll be discussing verifying "compound" signatures which won't make a lick of sense unless you've completely understood how to verify single signatures. Or, to put it another way, if you skipped Part IIA of this tutorial (verifying a single signature), you're gonna be seriously lost. If so, go back to Part IIA, and when you've got that down, come on back.
How Do You Know That There's A Compound Signature Involved?

Presumably, whoever made the page will tell you so. (There should be some notice that "This Page Is PGP Signed And Date Stamped" or "Me and Bubba Both Signed This Puppy" or some such thing.)

Alternately, assuming the author hasn't "hidden" the signatures, if you check the bottom of the page where the PGP signatures are, you will probably find TWO (or more) PGP signatures (see the bottom of this page, for example). Finally, if you "Decrypt/Verify" according to the instructions in Part IIA and you get a good signature followed a "Begin PGP Message" line, that means that there's another "layer" of PGP information to be dealt with.

What Will You Need?

Well, for starters you need the right software. Which is to say, the same stuff you needed for Part IIA:

You should have PGP v.6X (Windows95/98 or Macintosh). You can use the DOS version PGP v.2.6.X (I'll brush over it below), but you're on your own for all the command lines and flag references you'll need to use. I use it all the time, but it's a hassle to explain to anyone. If you don't have a current version of PGP, you can get it (FREE!) at http://www.pgpi.org. Come back after you get it installed and have read through the manual.

You need the public keys of whoever signed the page on your PGP keyring. In this particular case, you'll need mine and the public key of the timestamping service. You can get mine off my home pages (click here) or, if you prefer, off of a keyserver in Germany ( click here). You can get the Timestamp service's keys at their information page or, if you prefer, off of the German keyserver (click here) Either way, remember when you're finished to close the new window that will open.

Got the keys? OK. This web page is signed by me using the secret key that matches the public key you should now have on your PGP keyring. I then emailed it to the Timestamper and they signed it using their secret key that matches the public key you should also now have on your keyring.

That means this page has two "layers" of signatures. The innermost "layer" is signed by me. That is then wrapped in another "layer" of signature by the timestamping service. Think "onion" here. The outside layer is the timestamper signature, and when you peel it away, the next layer is my signature.

Checking it is a two step process (you only peel an onion one layer at a time). The first step is exactly like you'd take to verify a single signature.

RIGHT click somewhere on this page. It should then display a number of options. One of those options is "View Source". Select that option, and the raw HTML making up this page should appear in a "Notepad" window. (NOTE: Netscape may have a different routine to get the HTML source of a page -- probably on your menu line somewhere in a submenu).

Click anywhere in the "Notepad" window ONCE to make sure that it is the "selected" window. A cursor should appear somewhere in the vicinity of where you clicked.

On the little PGP padlock that should be in your toolbar (bottom right side of the screen in most setups) click once. This should display a little menu, including an item that says "Current Window". Put your cursor on that, and a submenu will appear. Select "Decrypt & Verify".

You should now be looking at a window that says:
*** PGP Signature Status: good *** Signer: Timestamp Service *** Signed: XX/XX/2000 XX:XX:XX AM *** Verified: XX/XX/2000 XX:XX:XX AM *** BEGIN PGP VERIFIED MESSAGE *** ######################################################## # # The text of this message was stamped by # stamper.itconsult.co.uk with reference 0035026 # at XX:XX (GMT) on Sunday XX XXXX 2000 # # For information about the Stamper service see # http://www.itconsult.co.uk/stamper.htm # ######################################################## -----BEGIN PGP SIGNED MESSAGE----- (HTML Code follows this...all the "XXXX" stuff above will actually consist of times and dates.)
DO NOT CLOSE THE WINDOW. We've only taken the first step or, if you prefer, peeled away the first layer (verifying the timestamp service signature).

Copy the window to clipboard. In PGP ver 6X, there should be a button on the bottom of the window that says "Copy to Clipboard".

Go back to the little PGP padlock on your tool bar and click once. This time, select "Clipboard" (NOT "Current Window"), then "Decrypt/Verify".

You should be now looking at a window that says:
*** PGP Signature Status: good *** Signer: Timestamp Service *** Signed: XX/XX/2000 XX:XX:XX AM *** Verified: XX/XX/2000 XX:XX:XX AM *** BEGIN PGP VERIFIED MESSAGE *** ######################################################## # # The text of this message was stamped by # stamper.itconsult.co.uk with reference 0035026 # at XX:XX (GMT) on Sunday XX XXXX 2000 # # For information about the Stamper service see # http://www.itconsult.co.uk/stamper.htm # ######################################################## *** PGP Signature Status: good *** Signer: Jim Willingham *** Signed: XX/XX/2000 XX:XX:XX AM *** Verified: XX/XX/2000 XX:XX:XX AM *** BEGIN PGP VERIFIED MESSAGE *** (HTML Code follows this...all the "XXXX" stuff above will actually consist of times and dates.)
Now, this can all be done using text files. Save this page as raw HTML (see Part IIA for how to go about this). Then "Decrypt/Verify" that file, and save the product in a second file. Then "Decrypt/Verify" the second file. It should have the same results. For hardcore PGP 2.6.X users, in fact, this is the only way to go at it.

An Experiment: After you've verified the signatures (whichever of the methods above you want to use to do it), re-open the "Notepad" (text editor) version. Make the smallest change you can think of somewhere in the HTML code or in the date/time information, or anywhere else, and check the signatures again. You should get a "BAD SIGNATURE!" notice on both attempts to verify the signature.

Have fun! Go To Part I (What Does "Signing" Something Mean?)
Go To Part II (How Do I Check A Web-Page Signature?)
Go To Part III (How Do I Sign A Web-Page?)
Extra Note: All the gibberish following this line are the PGP signatures, which is the hash number of this page encrypted with my "secret" key and the timestamp service's "secret" key. Just in case you wanted to know....


- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use 

iQCVAwUBOYb5kqY+qT1p0/NdAQHFMgP/bp5FocP9OF/zXPO7xiwngBfbmaC9rhrN
Aoqm5XEw1nDHY9gZVLxHBettZK/d9IVJlZvOlQ7Bksax4zxm7+VRsnXCME6dqt8v
8JKStx0MVgN79c+o99XkUIFCFjNU0YiSGzItmYKJZ1b65l+ZDicnFsybKXcgSJeV
9WcD3xoozh8=
=ahwM
- -----END PGP SIGNATURE-----


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: Stamper Reference Id: 0035167

iQEVAgUBOYb49YGVnbVwth+BAQGO9wf8C4Zvq8EaUv3UKUuTyKsB7SBGXD0KwJ4i
5t6IrkWZJ6f+X4QJfje4FKSDEAnWR92PN8l3piiosshiSf6FHdTRY2YAa81IvTQA
/9fv00eQCCEfHUY0MTxUM1bHsw0N2544wfG1JoodeU2KiZZkVfSNrKpvXR7gerz0
K72Dd4G5msjewlFVuBpHA3pUI8YEw0z+laf1C7uoTjVy+gquq3Bp21nspCwXGpXE
GygM1goB/afPc4f4Tcb51qOpNvs2egeIg7TcYvvk704nv8AREZ3QfPGMihfq5dCK
71JZvX2UHiNh0/T1o91wa/ByMcUjrHl7NeAu2XcwiBwFTxOouOkQWw==
=iRcK
-----END PGP SIGNATURE-----