 Hey everyone, can you see the shared screen of the assignment for questions? Right. And you can hear me find there are no issues with the audio. Perfect. Okay. We can get started then. So welcome to this week's recitation. I'm going to walk through assignment for and also some general comments on what I've been seeing on the discussions on Piazza. And after that, you can ask all the questions on the chat if you have anything. Okay. So this assignment is about Web of Trust, which is basically about you building a network of people whom you can trust. And we do this using public key cryptography and GPG to verify each other's identities and build your web. Okay. So your first step is you have to create a GPG key. There's really good guide already here that you can take a look at. There are lots of tools that you can use to create GPG keys. You can use a command line tool called GPG. There are also several UI programs that you can use. Some names were mentioned in Piazza like Cleopatra. There are also many other tools are available for whichever platform you are using. Feel free to pick any of them and use it. Most of those tools also have reasonably good documentation. So it shouldn't be very difficult for you to generate the key. The most important thing that you have to remember when you're generating the key is that the name on the key has to match what is there in ASU system. You can use any email address. It doesn't matter, but there should not be a comment. The conditions on the name and the comment is an absolute requirement because that is what we use when we have validating your submission at the end of the assignment. Another important reason also is that you have to get your key signed by other students and they might rely on your name in order to validate your key and then sign it. Another very important thing is after you generate your key pair, please do not lose it. Back it up somewhere. It's very, very important because we will not sign multiple keys for you when you submit on Gradescope. And if you end up losing your private key, you will no longer be able to sign anybody else's keys and then we will not be able to score you correctly. So if you ever want, please do not lose your key. It's very, very important. If you are concerned about using an existing key that you already have, I would recommend that you just generate a key because it's not good practice to put your private key somewhere where you want to back it up. I definitely recommend generating a new key just for this assignment, but feel free to also use an existing key if you want to. So once you have generated your key, just like in the crypto assignment where you had to submit an empty file and then you actually get the ciphertext. Here you actually submit the public key that you generated onto Gradescope in the assignments named web of trust upload. And when you do the upload, the Gradescope grader is going to check if your key is valid and it's going to send you back the public key except that we also signed the public key that we just uploaded with our own private key. Now, after you get the signed key from Gradescope, it's highly recommended that you verify the signature using the public key that we are using for this course. You can download the public key from this URL here, which is there on the webpage with the assignment for description. In order to verify the public key, we're also giving you the fingerprint before you, in order to ensure that the key that you downloaded is good. In addition to also giving you the signed public key, we also give you an adversarial keeper, both a public key and a private key with the same email as your key, but with a different name. This is going to be used for a later part in the assignment. So we'll get to what the adversarial key is given to you later in this recitation. Once you've received your signed public key from Gradescope, you need to get your public key signed by at least 30 other students in the class. There are two really good manuals here on how you actually do the signing. The key challenge in this assignment, in this part of the assignment, of course, is you must verify that the signatures are from a valid key for this class. It's up to you to ensure that the signatures that you receive are actually generated by a key that's valid for the class. It's signed by something else not used in the class and not blacked by the Gradescope system. You will end up in that signature would not be counted towards your total 30. Please be sure to verify that you're getting signatures from valid public keys for the class. Right. So the signing is actually how you build your web of trust. When you actually certify someone else's public key using your signature generated by your private key, you're essentially certifying that the other person's public key can be trusted. And that's how you build your whole web. So please be sure to verify that the signatures are right. And you should also ensure that you actually sign valid keys. That's the next part of the assignment. You also need to sign at least 30 public keys of other students in the class. Right. We should also make sure that you do the signature properly. There are a couple of people who have been having issues importing the signature. We also have a discussion in there. I'll talk about it later in the recitation, but please be sure that you sign correctly. If you have any doubts, you can just make sure that you talk to other people who you sign make sure that your signatures are fine and makes also that the signature is coming from them are also done properly. Also be very careful on which keys you sign because if you sign in valid keys, you're also going to end up losing points. So if you don't sign any invalid keys, you will receive a whole score of 10 points. But depending on how many invalid keys you signed, the amount of points that you lose would vary. This is to illustrate that trust is an important part of the web of trust who should absolutely only trust a public key if you're sure it's valid and belongs to that person. If you were to randomly certify someone as owning a public key, that is going to break the fundamental trust in the whole web of trust and makes the whole web of trust not very trustworthy. Right. On the flip side though, if you get other people to sign your adversarial key that was generated to you from great scope with a different name but the same email as the key you uploaded, you can actually get extra credit for taking people into signing the adversarial public key that they should not have done. Right. So they're tricky. I've already seen that a lot of people are trying multiple ways to do it. So please be careful which key you sign. Make sure you validate it as a good key and not an adversarial key so that you will not end up losing any points. And finally, once you have collected 30 signatures and if you got any signatures for your adversarial key, you need to submit all these files that are listed here on the submission server along with the read me that's going to have your name, your SUID and what do you think about GBG and key signing here and also a description of how you manage to get other people to sign your adversarial key. The submission server is currently not open right now. Please check back in a few days here. Adam would add the link here and if you don't hear back from us very soon, feel free to put a post on Piazza and one of us will get back to you on it. So that's the description of the assignment. I see there's a question that I will come back to it. I'm just going to give you a couple of other points that I'm seeing based on the discussions on Piazza. One of the important challenges that a lot of people have been having is how do you verify the signature that's generated from great scope using the courses keep it right. There are guides out there that tell you how to do the signature verification. So I'm not going to give you the exact command. But in general, what you would have to do is first import the courses public key that's linked to from part two of assignment for here. Verify the fingerprint on that public key and then use the GPG command or if you're using a UI, whatever UI mechanism is there for you to verify that the course course key has the fingerprint that's mentioned here. And then you can be sure that the course public key that you have downloaded is correct and then just on the verification command and it'll tell you whether it's correct. So you find the courses public key again, repeating it you find the courses public key on the part two of assignment for page on Adams website. Please download it from there and verify the signature that you get from great scope. Another important problem that a lot of people have been facing is the whole cross platform issue where you just ask GPG to display the output on the standard output and then you redirect it to a file which is going to mess up if you were to send that file to someone else using a different platform. For instance, maybe you sign someone who's using a Mac and then you sign their key on Windows and you send it to them and they're not able to verify your signature that you gave them. So rather than using redirection, please use the dash dash output flag that's there for GPG. If you're using a UI it must be possible to say ask it to save the signature or any output from there into a specific file. So please do that do not do redirection that is going to mess up a lot of things if you start going across operating systems. The other important thing is that you should share the signed public key that you get from great scope and not the public key file that you generated before you upload it to great scope because the file that you get from great scope is signed using the courses there and if someone else were to check your key, they would not be able to verify if your key was signed. So when you ask someone else to sign your key, be sure to give them something signed from great scope and not without the course signature. The last thing that I wanted to point out is a couple of people are asking, now what if I get a signed public key from someone else? Does it mean that I need to go re-sign all the keys that I signed because I have a new signature from another person? The signature is conceptually different from the key, regardless of how many extra signatures you keep tacking on. Any signature that you created before you received any new signatures is not going to change. The signature is basically someone else certifying that your key is correct. It does not affect any signatures that you create using your keys. So you don't have to worry about it. You don't have to do anything. And in addition, GPG can also import new information like if you get three new signatures, GPG is smart enough to figure out that this is a public key that I already know and here are some new signatures for this public key. I'm just going to add them together in my internal database. So you don't have to worry about any of that. GPG would make sure everything is working fine. So that's some of the things that I wanted to point out based on the discussions that I saw on Piazza. So we already have a question here. How do we verify validity? Could you please elaborate a bit more, verify the validity of what exactly, it's not very clear to me what you're trying to validate. You can just post it on the chat. That's good enough. I mean, well, if anybody else has any questions, please feel free to post it on the chat and. So we do have a new question here, but I'm just going to quickly address the follow up to the previous question that I was answering. To the person that's clarified the question being asked is how do we verify if a key is valid or adversarial. I'm not going to answer that because that's part of the assignment. Okay. It's not very tricky. You can figure it out, but not going to tell you how to do it. Okay. So the next question that we have is, so do you lose points if you sign? So do you only lose points if you sign adversarial keys? What if you sign an invalid key that is not adversarial? Like if someone messed up the name spelling in their key, hadn't submitted it to Grayscope yet, and you still signed the key with a misspelled name, would you lose points? So you wouldn't lose points for part five where you need to sign invalid keys, but you probably would not get points for when you need to sign other people's public key. But regardless, I would say be very careful on which keys you sign. If you have any kind of doubt that this is not a valid key that you should sign, I would recommend that you don't sign. I would say don't risk it. That's the whole point of the web of trust. You don't want any sort of chances. You want, when you make a signature, you want to be certain that this is the key that belongs to that specific person. There should be no room for doubt anywhere. So I would err on the side of caution and not sign a key if you don't trust it. I hope that answers the question. If it doesn't, please post a follow-up. I'll be happy to clarify. If anybody else has any questions, feel free to post it on the tab. So the question here, just to clarify, importing a key is not the same as signing the key. That is correct. Importing a key is not the same operation as signing a key. Importing just means that you're just adding the key to your GPG database in your machine, where assigning is when you actually certify that the key is trustworthy and that is done using your private key. So they are not the same. Importing is perfectly safe to do. Feel free to import as many keys as you want, but be very careful on which keys you sign. And also, if you want to verify the signature created by another student in the class, you would need their public key to verify. I hope that answers the question. If anybody has any questions or any follow-up, please feel free to post it on the tab. So we have another question here. Do you have a recommendation for how to find people to share keys with? I've been doing it on Gradescope. Sorry, I think the person meant, I've been doing it on Piazza, but it feels like it takes forever. No specific recommendation, sorry. No specific recommendation really, how you can find people to get them to sign a key. A lot of people have been finding people to sign their key on Piazza. They create signing threads where they just post their keys and ask if someone else can sign their key. You could write that, but I think a lot of people have already hit 30 signatures and so probably they might not reply because they don't necessarily need more signatures. But Piazza is definitely one way to get signatures. The other problem, of course, is they've been not meeting in person anymore during the lecture or anything, so it's very difficult to get signatures from there. Feel free to reach out to other students through multiple ways. You can maybe find their profile, contact them outside of Piazza, maybe shoot them an email if you find their profile of some kind from ASU's website and ask them if they could sign. There may be other communication channels. There are a couple of communication channels discussed on Piazza, but I'm a little hesitant to also recommend them because you need to be careful. We don't control it, so if you accidentally sign someone's adversarial key, that's on you and not on us. Feel free to reach out. Usually in the real world, a lot of this is done in person, but since we don't meet people directly, it's a little tricky, but if you have some time, you have multiple ways of reaching out, I think you'll be able to figure it out. Also something just to add, even though a lot of people are not necessarily replying right now, there could still be people who would be interested in receiving more signatures and also giving out signatures because it's recommended that you get signatures from more than exactly 30 people to ensure that there are no problems and someone claims to have signed yours, but then didn't sign yours or something went wrong in the whole signing process, etc. So I would also recommend, don't aim for just 30 signatures. Try to be safe and get a lot of signatures so that there would be at least 30 of them valid in the big set of signatures you received. So we have another question here. If the person doesn't have the CSC 365 S20 key in their hearing, is it best not to sign their key? I'm not really sure if I understood your question correctly because my understanding of a key ring is the local GBG database that I maintain. I'm not sure how you can check if someone else has imported the CSC 365 S20 course key into their local key ring because you probably don't have access to their key ring. Okay, we have clarification from someone else. They probably meant if it hasn't been signed by their, by the course key. I'm also going to err on the side of caution and not answer that question. Yeah, sorry. Use your best judgment. Decide if you want to take the chance. It's fully on you. I'm definitely not going to make a recommendation for that. So we have another question here. Did you say that the grade scope submission will be up soon? Yes, I believe that the submission service will be up soon. I'm just not sure if it's going to be on grade scope or if it's going to be somewhere external. I would say just wait it out a bit. Collect your signatures. Don't necessarily wait until the submission server comes up because the submission is independent from you getting everybody's signature and writing all the read me and stuff. But yes, it should be up soon. We probably wouldn't take it too close to the deadline, but it's computers. There's no guarantee. But we will try to get it up as soon as possible and give you enough time before the deadline so you can still submit troubleshoot if there are any issues. Sorry, I don't have a more specific and better answer. We would likely also announce on Piazza. So keep monitoring the discussions there to see if you see announcements from one of the TAS or from Adam. So we have another question here. If someone gets people to sign their adversarial key by changing the name or the UID on the adversarial key and stripping out the course signature. Does that count? I am not certain if the adversarial key that you get from grade scope is signed with the course signature. I haven't checked. So that's why I'm not sure. We have clarification. Thank you. It is signed by the course key. But yes, if you still get someone to sign your adversarial key without the course signature as long as the signature on the key is valid and you can verify the signature. Then using GPG, then we would also be able to verify the signature on the adversarial key that would count. Like I said earlier in the recitation, the signature is different from the key. The signature is just a certification stating that the key can be trusted. It's not really associated with the key. So yes, if you do still get the key signed. Even if it doesn't have any additional signatures along with it and you can verify the signature locally using GPG, it should be good enough. That's what I would say. I hope that answers the question.