James Howard

Is it possible to capture and display the photo that is autoselected by tumblr in a custom theme?

Reading Michio Kaku’s Physics of the Future, he notes (location 6196),

The United States cannot continue to live off foreign scientists, many of whom are begining to return to China and India as their economies improve…This means that the United States will eventually have to overhaul its archaic, sclerotic education system. At present, pooly prepared high school students flood the job market and universities, creating a logjam. Employers continually bemoan the fact that they have to take one year to train their new hires to bring them up to speed. And the universities are burdened by having to create new layers of remedial courses to compensate for the poor high school education system.

Perhaps, not surprisingly, the worst job markets in the United States are where the worst school systems are. Daily, we see politicans and charletans strangling public schools by squelching basic science and health education. Recent battles over creationism in Louisiana bear this out. While Louisiana’s unemployment rate is just below the national average, it’s barely worth having a job there when the median income is 41st in the country, and around 80% of the national income figures. In fact, the bottom 10% of states hover between 76% and 81% of the national income.

And these states have comparably worse education. But the problem with education in these states isn’t the comparably funding cut, but the never ending meddling in education, and specifically science, standards. Tennessee, third from the bottom in income and home of the Scopes Monkey Trial, adopted a climate change denying bill in 2012. And Mississippi’s governor, whose state is last in income, blamed teens for the failure of abstinence-only educational policies. These examples are highlights and reflect the norms of lower-income jurisdictions in the United States. Higher income areas, such as Maryland, New Jersey, and Connecticut, tend not to see full frontal assaults on science education. And these places will continue to be the homes of jobs and high-paying jobs.

I started teaching at the University of Maryland University College (UMUC), a distance education institution, in the spring term of 2011. Someone from UMUC had emailed asking if I’d be interesting in teaching there in the spring of 2010. I followed up and following an interview, was given an adjunct appointment (adjunct instructor) in what was then called the School of Undergraduate Studies (now called the Undergraduate School). I teach in the mathematics and statistics group, mostly freshman mathematics courses such as finite mathematics, college algebra, and trigonometry.

When I started, before I could teach, I was given a five-week course on teaching online. This encompassed using WebTycho, UMUC’s homegrown distance education platform, and some pedagogical material about reaching online. But we were never really taught how to teach. Or, for that matter, why. This is not unique to UMUC. There’s very little teacher training in higher education. There’s plenty of research training, but very little teacher training. So we learn it on the streets. For those who know where to look, UMUC’s Center for Teaching and Learning also provides short (one-week) courses on time management, the adult learner, and dozens of other topics. I’ve probably taken about 10 of these, and earned two faculty workshop certificates from UMUC.

Given this, I am excited to see the the Commonwealth Education Trust, a British charity, is offering an 8-course program, through Coursera, to teach the business of teaching. The program covers student assessment, understanding curriculum, and professionalism, among other topics. The entire program, lasting more than a year, starts in August of 2013 and is available for free.

THIS!

professor-anonymous:

Moody’s has announced Howard County may lose its coveted and well-deserved AAA bond rating. The AAA rating is important to the County because it reduces the borrowing costs for funding and gives Howard County substantial lee-way in determining fiscal priorities. It helps pay for Howard County’s general awesomeness.

The problem here is Moody’s, as usual, has failed to perform a basic evaluation or due diligence in evaluating Howard County. Like the other major credit ratings agencies, the process for evaluation is a black box, wherein the rater does not explain how a conclusion is reached. Nevertheless, hints are dropped. And the Municipal Bond Association lays out that four key metrics are used to evaluating the health of a municipal government (these may look familiar if you’ve seen my work with the Columbia Association). Avoiding a lot of equations, they essentially involve measuring the the debt compared to total land valuation, the population, personal income, and revenues.

Let’s start with the first. The county land valuation experienced a minor (less than 5%) decline during 2011, but by Moody’s own estimate, this is a non-problem since the phased-in assessment increases insure a steady growth in the tax base going forward.

The second, linking debt to population is rather outdated and difficult to asses year over year since it is measured in nominal dollars. It doesn’t matter, since Moody’s press releases do not suggest they use it. (Fitch does, but they haven’t said anything foolish yet.)

The third, debt over personal income, is most important. With Howard County’s population sitting on the third highest per capita income in the United States, the county’s debt is relatively low compared to other jurisdictions. Also, the county’s incredibly low unemployment, 4.7% (December 2012), has decreased over the prior year, lending further strength to the personal income of Howard County.

The fourth measure, debt service over revenues, is a bit harder to work with. Debt service includes all long run debt, including pension liabilities and lease payments. Nevertheless, despite a massive shift in pension liabilities onto county governments, Howard County is still stronger than other counties. Moody’s notes that Howard County faced a structural deficit in fiscal 2011, however, at $2.2M, that was less than a third of one percent of the county budget, and was corrected through short-term savings.

While the federal government is a substantial contributor to local employment, that is true across a broader swath of the United States than most would admit. The risks of the federal government substantially curtailing local spending, especially when much of the spending that Howard County benefits from is Defense-oriented, are low. While I have not done a stress test on county finances, I am reasonably convinced Moody’s negative outlook for one of the few jurisdictions where everything is looking up, is misguided and bad business.

So I have some interesting political and social questions, that might be a bit different from anything I’ve heard so far:

1. Will Benedict XVI be permitted to take part in the Conclave?
2. How shall we address His Holiness after the abdication?
3. Will he still claim diplomatic immunity and will it be honored?
4. Of what country will he be a citizen?

This is a rare opportunity to see the international community respond to a new distinction in status. It might be interesting.

Maybe next time we’ll make it to Mars.

Bananarama doing “Na Na Hey Hey Kiss Him Goodbye.”

jhresearchlog:

The abstract is below. Conference information is available here.

The National Flood Insurance Program (NFIP) was created by Congress in 1968 to provide insurance and prevention against flood risk and to shift some rebuilding costs off the federal budget. The program, administered by FEMA,…

newyorker:

Shouts & Murmurs - Gary Belsky compiled the 100 best lists of all time, including Schindler’s list, the 10 Commandments, the ultimate grocery list, and more: http://nyr.kr/Tpas0j

I’ve been laughing at this for a few days.

The Clinically Stupid Get Served, Part II

I will see your Elf on the Shelf and raise you a Chupacabra in the Tree.

Marshmallow Man gave me his autograph!!!

Whump, whump, whump, whump, whump
I double check but I am not near the rumble strip
On the side of I-95, just south of MD-200
I pull over: the driver’s side rear is flat

Driving the wife’s car
I have no idea how prepared I am for this
The trunk yields with a two-and-half ton floor jack
And a well-worn but ready to use donut

I jack the car up
But have to step on the lug wrench to loosen the bolts
Though the bolts are removed, the tire is stuck on
And with a swift kick, the tire falls falls to the ground

I place the donut
And tighten the lug nuts to hold it down
In twelve minutes, how many others passed me by
WAMU reports the delay I caused. all the way to MD-216

On Maryland 27, about two miles north of I-70, there’s been a sign for a couple of years reading:

RON PAUL
TRADITIONAL MARRIAGE

Of course, an actual Libertarian would not support legislating marriage, but this is not about taking potshots at the clinically stupid. As I drove by it today, it had been comically altered to read:

RU PAUL
TRADITIONAL MARRIAGE

I laughed. Sorry I didn’t get a picture.

• Nina: I am having a hard time getting ChaseKBH to wake up.
• Me: I could tell by the sound of whip cream.

Nate Silver. But lost in the discussion of how the Republican Party panned his predictions is an underlying truth. The same group of people who reject climate science, evolutionary science, economic science, geological science, medical science, social science, and public health also reject data science.

When my children ask me what I did for the historic election of 2012, I will tell them I was an ass on Facebook. And they will be able to scroll through my timeline and see it within seconds.

Right now, the Basu Howard launch capability is matched only by China and Red Bull.

The abstract is below. Conference information is available here.

The National Flood Insurance Program (NFIP) was created by Congress in 1968 to provide insurance and prevention against flood risk and to shift some rebuilding costs off the federal budget. The program, administered by FEMA, includes a flood mitigation grants component available to communities and a financial insurance component available to individuals and businesses. The program is self-supporting, while indebted to the federal government, and has been criticized for its environment and economic impacts. Multi-state flood events since 2000, such as Hurricanes Katrina (2005) and Sandy (2012) have stressed the NFIP’s finances forcing some to question the benefits and costs of the program.

Estimating the net social benefits through benefit-cost analysis requires an in-depth analysis of the insurance and grant components of the NFIP. This presentation will outline the development of a sufficient statistics for measuring the impacts of the NFIP’s insurance component. This sufficient statistic takes into account the premiums, claims payments, and potential losses for a policyholder and measures their impacts on society. This statistic is calculated using aggregate financial information provided by the program.

Combining the results of the insurance component sufficient statistic with estimates of the net social impacts of flood mitigation grants available from other sources, it is possible to obtain a first-order estimate of the net social benefits of the entire NFIP at the national level, both retrospectively and prospectively. In addition, it is possible to estimate the net social benefits of the NFIP at the state level and, through distributional weighting, obtain a second-order state level estimate of the distributionally weighted net social benefits of the NFIP. The framework can also provide higher-order estimates using disaggregated data sources.

I put a lot of stuff into Mercurial including research, letters, and miscellaneous documents as they are being developed. When a new project shares some common element (such as, for instance, page formatting) with an older project, I’ll fork from the older project into the new one leaving them with a common history, even if they have no other logical or other connection between the two.

simplystatistics:

As you know, we have a thing for statistical literacy here at Simply Stats. So of course this column over at Politico got our attention (via Chris V. and others). The column is an attack on Nate Silver, who has a blog where he tries to predict the outcome of elections in the…

I’ve revised your code for efficiency:

# Set initial parameters
percentObama = 0.505
sdObama = 0.01
n = 1000

# Simulate n elections
simulatedPercentObama = rnorm(n,mean=percentObama,sd=sdObama)

# Calculate the percent of times Obama wins
percentObamaWin = mean(simulatedPercentObama > 0.5)
percentObamaWin

Histogram of NFIP claims from 1996 to 2010 in 2010 constant dollars—it looks like it might be log-normally distributed.

Above are the slides from my presentation at the William and Mary Graduate Research Symposium. The associated paper can be downloaded from SSRN.

A slightly revised version will appear at the UMBC Graduate Research Conference next month.

As noted before, the federal fiscal year can cause problems for economic analysis when converting from nominal dollars to constant dollars because the federal fiscal year runs from October 1 to September 30 and annualized rates for CPI are from the calendar year. The Consumer Price Index is published by the Bureau of Labor Statistics which also publishes monthly figures.

This table is a fiscal year annualized CPI dataset for 1977-2011. The figures are given by averaging the monthly figures from October through the following September of each year. Like the traditional annualized CPI figure from BLS, this is calibrated to (calendar) 1982-1984=100, so the figures will be close to the calendar rates and could even be used to convert between the calendar and fiscal year, if necessary.

I defended and passed my dissertation proposal yesterday. One of the more challenging aspects the public policy program at UMBC is the amount of information going into the proposal. Where some programs and schools have relatively short proposals, glorified abstracts, and an informal approval process, the public policy program requires the bulk of the literature review, fully developed methodology, and justifications for the study. As a result of this, our proposals run long.

Mine is 114 pages. The benefit in this work is today, a day after my proposal defense, a rough draft of my dissertation’s first three chapters is done.

When performing ex post analysis for net social benefits, there is surprisingly little guidance on the matter of selecting a social discount rate. This is remarkable given the handwringing by the Office of Management and Budget, the Congressional Budget Office, and many others over the matter in ex ante regulatory analysis. Regardless, it is sometimes important to consider the historical impact of a program to provide a framework for understanding changes to that program, similar new programs, or simply to see if the benefits projected at the start materialized.

One school of thought when perform ex ante regulatory analysis is to estimate the social discount rate at the using the governmental borrowing rate. (Other potential rates are discussed in, among others, Cost-Benefit Anaylsis: Concepts and Practice by Boardman, et al.) I think when performing an ex post analysis, there is significant justification for using the governmental borrowing rate and it is convenient is the borrowing rate is both observable and known. For this, I have created a pair of tables available as Google Tables, that represent the annualized borrowing rate for the United States government for calendar years and fiscal years. Each table provides the base cost for borrowing at one, two, three, five, seven, ten, 20, and 30 year terms. Below is an abbreviated sample.

The fiscal year table provides each from 1977 onward, due to the shift in the federal fiscal year to October 1-September 30 beginning that year. There are gaps in the 30-year rate for 2003, 2004, and 2005 and in the 20-year rate from 1988 through 1993 due to a lack of date. The calendar year table provides the one, three, five, and ten year rates from 1962 onward. Other rates start in different years after 1962,

This data was compiled from the H.15 public release (Selected Interest Rates) of the Federal Reserve Board (disclaimer: I am employed by the Federal Reserve Board) using the Treasury constant maturities data sets. The calendar year data is comes directly from the historical section’s annual tables for each maturity. The fiscal year is the arithmetic mean of the monthly rates during the fiscal year. Generally speaking, this is not the actual borrowing rate but instead represents the expected borrowing rate for the federal government during the time frame in question for the given maturity. As a result, this is a close approximation to the rate necessary for ex post social discounting.

I will be presenting on the National Flood Insurance Program at the William and Mary Graduate Research Symposium in March. The abstract of the talk is:

The National Flood Insurance Program (NFIP) was created by Congress in 1968 to provide insurance and prevention against flood risk and to shift some rebuilding costs off the federal budget. The program, administered by the Federal Emergency Management Agency (FEMA), includes a flood mitigation grants component available to communities and a financial insurance component available to individuals and businesses. The program has been criticized for its environment and economic impacts.

This presentation will provide a interdisciplinary retrospective benefit-cost analysis of the NFIP from the period 1996 through 2009, covering data available from FEMA for the program. The paper evaluates the impacts of both the flood mitigation program and the financial insurance component to estimate the net benefit to society during the time frame. The impacts include direct financial transfers, shifts in the consumer surplus, increased cost of building maintenance in flood hazard areas, and environmental changes.

The results of this research inform interdisciplinary and policy questions about the NFIP including whether the program should be restructured, whether Congress should enact additional natural disaster insurance programs, or how the benefits and costs of the NFIP extend into the future. The results also provide the baseline for determining how the benefits and costs of the program are allocated among social classes.

This talk will cover one of the three research questions in my dissertation proposal.

It isn’t listed in the DSM yet, but I think I have a condition I am calling Touchscreen HCI Disorder. The cause is using too many touchscreen devices. The symptom is assuming all glowing boxes are touchscreens and jabbing them with your finger then getting annoyed when they do not respond.

This evening I finished recoding a list of grants from FEMA for Flood Mitigation Assistance. This dataset contains 2108 entries, and contains the following columns, among others:

Because many of the subgrantee fields are filled even when the county is not and most of the subgrantees are local government agencies, I tried to recode the counties according to FIPS 6-4, “Counties and Equivalent Entities of the United States, Its Possessions, and Associated Areas.” Local governments were recoded to their parent counties, as appropriate.

Going through this process by hand, I have some observations on the first-order divisions of states:

1. There are five townships in Ohio with the name Scioto.
2. There are two counties named Jeff Davis, one named Jefferson Davis, and a parish in Louisiana named Jefferson Davis.
3. There are seven counties in the United States named Howard County.
4. A remarkable number of states have cities and counties with the same name, but which are not near each other.

For reasons I cannot entirely justify, I created a new Twitter account, @OpenPGPBot, that automatically retweets anything posted involving PGP, GnuPGP, or OpenPGP. Please follow if it’s your thing.

Systems are only as secure as you make them. Thankfully, FreeBSD offers an excellent range of tools and mechanisms to insure that all your security needs are met.

Jacques Manukyan writes in the new issue of BSD Magazine. PDF download of the entire magazine available at the link.

PGP Corporation’s Perspectives Blog offers some insight on how new cloud-based products can be secure and offer identity management (in a curiously unsigned post).  The first generation of products we have seen centers on API keys, except for a few products which require you to submit your username and password for remote use.  Both of these solutions are insecure for the same reasons.

Lately, a few cloud products at the bleeding edge of development have offered a new solution. GitHub, BitBucket, and Heroku have offered authentication solutions based on SSH keys. While these are development tools, their inherent focus on distributed data management suggests where next generation cloud services will solve authentication problems.

Lately, I’ve been working in Git for version control and one of the more interesting features is the ability to sign source code tags.  Git is a distributed repository system and consequently, it is impossible to know if a given copy of the repository is official in any sense of the work.  Cryptographic signatures alleviates this problem and Git uses GPG to do it.

First, is is necessary to tell Git about your key:

howardjp@byzantine:~/src/git$ git config user.signingkey 0x3EE4249E
howardjp@byzantine:~/src/git$ git config --get user.signingkey
0x3EE4249E
howardjp@byzantine:~/src/git$

Then, create a tag giving the -s option:

howardjp@byzantine:~/src/git$ git tag -s commit.infodisplay 0839c680c7d2821753ae684874abf83aaaba6f32
.git/TAG_EDITMSG: unmodified: line 4
:a
This tag represents a finalized commit.infodisplay variable.
.
:x
.git/TAG_EDITMSG: 5 lines, 88 characters

You need a passphrase to unlock the secret key for
user: "James Patrick Howard, II"
2048-bit RSA key, ID 0x3EE4249E, created 2009-08-30 (main key ID 0xE6602099)

howardjp@byzantine:~/src/git$

Since my password was cached by GPG Agent, I do not need to enter it. And it’s that simple. To verify a tag, give a tag name and the -v option:

howardjp@byzantine:~/src/git$ git tag -v commit.infodisplay
object 589c8efd5bec637050ddaadae9471c15601738cb
type commit
tag commit.infodisplay
tagger James P. Howard, II  1261089522 -0500

This tag represents a finalized commit.infodisplay variable.
gpg: Signature made Thu Dec 17 17:38:42 2009 EST
gpg:                using RSA key 0x3EE4249E
gpg: Good signature from "James Patrick Howard, II" [ultimate]
howardjp@byzantine:~/src/git$

When Git signs a tag, it creates an object to represent the tag and also adds the entire history of the repository leading up to the tag. This is important because the signature then verifies an entire line of development allowing distributed sources trees that can be trusted.

Dan Mahoney has written a new overview of publishing PGP keys via DNS:

Publishing PGP keys is a pain. There are many disjoint keyservers, three or four networks of which, which do (or don’t) share information with each other. Some are corporate, some are private. And it’s a crapshoot as to whose key is going to be on which, or worse, which will have the latest copy of a person’s key.

For a long time, GPG has had a way to publish keys in DNS, but it hasn’t been well documented. This document hopes to change that.

I do not work with DNS much any more, so I have not tried it.

This blog is about identity and social media touches on that. Small and medium sized enterprises (SME) are all over social media, and rightfully so. Social media provides SMEs the opportunity to level the advertising playing field and work directly with potential customers. And having a presence in multiple networks is equally critical, since the users are everywhere.

Quite a few, I’ve noticed, don’t get it. I have received a handful of friend requests on Facebook from businesses, despite the fact Facebook prohibits the use of personal accounts without a personal identity attached. Facebook provides a mechanism for businesses through “Pages.” But what surprised me recently was a business with a personal profile on LinkedIn, and it has 25 connections. The business also had a company profile on LinkedIn, which was up to date. SMEs would be better off using the business profile pages established for that purpose, as they usually are bettered geared at presenting business data. After all, you may be married to your work, but Facebook ought not say it is married to you.

OpenPGP provides the ability to associate a key with multiple email addresses.  This is handy if you are both john.doe@example.com and jd@example.com at work and adding both identities to your OpenPGP key is best because you cannot control what address outsiders use for you.  But you might also have a personal email account at Gmail or Hotmail.  Should you add this identity to the same key as your work addresses?

If the key is only used to provide digital signatures, the only question is whether you want the email address to actually be associated with you. If your personal email address is john.doe@gmail.com or something similarly innocuous, you will be fine.

But encryption keys are another matter. If a recipient has multiple encryption subkeys on their OpenPGP key, they cannot specify a prefered key for any purpose. The sender is free to choose. So one subkey cannot be designated as professional versus another. As a result, an employer may well suggest that an encryption subkey stays with the business, since a subkey will always decrypt corresponding ciphertext, even if revoked.

There are a few considerations that suggest it may not be worth while, however. Encryption tools are not electronic methods for solving social problems. If an employee wants to steal data from the business, forcing them to use separate keys will not prevent them doing so. Especially since they may steal deciphered plain text or even the encryption keys. And employers may need to securely contact employees in a personal capacity, for instance, during a continuity of operations event, and establishing a consistent set of trusted keys for personnel can smooth communications.

Though not necessary for most modern users of PGP, understanding PGP key versions can enlighten other questions.  There are two key versions which are relevant:  PGP Version 3 (V3) and PGP Version 4 (V4).  V4 keys were introduced by NAI’s PGP 5.0, which the OpenPGP standard is based on.  The standard refers to V3 keys as “old format” and V4 keys as “new format.”

New format keys offer many advantages over old format keys.  This includes the inclusion of many different subpackets that can be attached to a public key, sort of addendums to the key, which can specify information such as prefered hash algorithm, preferred key server, or revocation information.  As GnuPG and PGP versions since at least 2000 have used new format keys by default, there is little concern here about which key format to use.  However, some outstanding keys predate the OpenPGP standard and are still in use today.  These keys are acceptable for use provided the owner accepts the key as their own.

In contrast to the multiple assurer model, there is a single assurance model. The most interesting of the single assurer models is the Gossamer Spider Web of Trust, or GSWoT, which calls its assurers introducers. Like CAcert and Thawte, GSWoT introducers are volunteers who perform assurances as a part of other activities. GSWoT introducers, however, do not earn points and are drawn from the ranks of CAcert and Thawte assurers. This process enables GSWoT to recruit those already well-versed in identity management best practices.

GSWoT only works within the PGP web of trust by relying on the OpenPGP’s specification for depth of trust. GSWoT users can download the GSWoT keyring, which includes introducers, and a metakey for the entire GSWoT network. The user should issue a trusted signature to the GSWoT metakey with a trust depth of 2. The GSWoT metakey signs an introducer’s keys with a trust level of 1. From then on, the user who downloaded the GSWoT keyring will find valid keys for anyone signed by any GSWoT introducer. GSWoT introducers are expected to hold high standards when issuing signatures to ensure the Gossamer Spider Web of Trust does not become polluted. Additionally, GSWoT introducers cross sign each other’s keys to tighten the web of trust knot surrounding its volunteers.

There is significant overlap with both the CAcert and Thawte web of trust networks among GSWoT introducers. But unlike CAcert and Thawte, there is no single organization that continues to monitor and issue signatures representing the web of trust. Provided a copy of the GSWoT keyring, anyone can verify the validity of a signature indefinetly. For PGP users, the GSWoT keyring and the CAcert PGP key (which should be trust-signed with a trust depth of 1), provide a web of trust that is remarkably fault tolerant, massively distributed worldwide, and freely accessible by any Internet user.

Earlier this week, I changed my profile picture on Twitter, Facebook, and other websites and decided the photo on my PGP key should match. This is a quick tutorial on PGP key photos.

PGP keys permit photos to be recorded on the key and are treated like other user ids, in that they can be signed by others. Image types are limited to JPEG. Generally, it is a set it and forget it process. So first we should remove the existing photo:

howardjp@thermopylae:/tmp/gpg$ gpg --edit --expert 0xE6602099

Secret key is available.

pub  4096R/0xE6602099  created: 2009-08-30  expires: never       usage: C   
                       trust: ultimate      validity: ultimate
sub  2048R/0xFCB31625  created: 2009-08-30  expires: never       usage: E   
sub  2048R/0xA40883BA  created: 2009-08-30  expires: never       usage: A   
sub  2048R/0x2C3602D7  created: 2009-08-30  expires: never       usage: S   
sub  2048R/0x3EE4249E  created: 2009-08-30  expires: never       usage: S   
[ultimate] (1). James Patrick Howard, II
[ultimate] (2)  James Patrick Howard, II <howard5@umbc.edu>
[ultimate] (3)  James Patrick Howard, II <jh@jameshoward.us>
[ultimate] (4)  James Patrick Howard, II <howardjp@gmail.com>
[ultimate] (5)  James Patrick Howard, II <jphoward@jphoward.com>
[ultimate] (6)  James Patrick Howard, II <james.howard@ubalt.edu>
[ultimate] (7)  James Patrick Howard, II <howardjp@terpalum.umd.edu>
[ultimate] (8)  James Patrick Howard, II (GSWoT:US72) <howardjp@gswot.org>
[ultimate] (9)  [jpeg image of size 18245]
[ultimate] (10)  James Patrick Howard, II <howardjp@miamialum.org>

Everything looks fine so far, so let’s select the photo as a userid and revoke it (from here, output will be abbreviated:

Command> 9

pub  4096R/0xE6602099  created: 2009-08-30  expires: never       usage: C   
                       trust: ultimate      validity: ultimat
[ultimate] (8)  James Patrick Howard, II (GSWoT:US72) <howardjp@gswot.org>
[ultimate] (9)* [jpeg image of size 18245]
[ultimate] (10)  James Patrick Howard, II <howardjp@miamialum.org>
Command> revuid

And now GPG will ask if I really want to do this, why, and give me the new key:

Really revoke this user ID? (y/N) y

Please select the reason for the revocation:
  0 = No reason specified
  4 = User ID is no longer valid
  Q = Cancel
(Probably you want to select 4 here)
Your decision? 4
Enter an optional description; end it with an empty line:
> Image is being updated.
>                        
Reason for revocation: User ID is no longer valid
Image is being updated.
Is this okay? (y/N)                  

You need a passphrase to unlock the secret key for
user: "James Patrick Howard, II"
4096-bit RSA key, ID 0xE6602099, created 2009-08-30

pub  4096R/0xE6602099  created: 2009-08-30  expires: never       usage: C   
                       trust: ultimate      validity: ultimate
[ultimate] (8)  James Patrick Howard, II (GSWoT:US72) <howardjp@gswot.org>
[ revoked] (9)  [jpeg image of size 18245]
[ultimate] (10)  James Patrick Howard, II <howardjp@miamialum.org>

So everything looks great, let’s add a new one:

Command> addphoto

Pick an image to use for your photo ID.  The image must be a JPEG file.
Remember that the image is stored within your public key.  If you use 
very large picture, your key will become very large as well!

Keeping the image close to 240x288 is a good size to use.

Enter JPEG filename for photo ID: jph.jpg
This JPEG is really large (44219 bytes) !
Are you sure you want to use it? (y/N) y

Since nobody actually reads keys to each other, I don’t mind a nice large color picture, but it is worth noting it is only 225x225 pixels.

Is this photo correct (y/N/q)? y        

You need a passphrase to unlock the secret key for
user: "James Patrick Howard, II"
4096-bit RSA key, ID 0xE6602099, created 2009-08-30

pub  4096R/0xE6602099  created: 2009-08-30  expires: never       usage: C   
                       trust: ultimate      validity: ultimate
[ultimate] (8)  James Patrick Howard, II (GSWoT:US72) <howardjp@gswot.org>
[ revoked] (9)  [jpeg image of size 18245]
[ultimate] (10)  James Patrick Howard, II <howardjp@miamialum.org>
[ unknown] (11)  [jpeg image of size 44219]

The validity is unknown, because it has not been recalculated yet. This is easy to fix by restarting GPG. Don’t forget to save your work:

Command> save

howardjp@thermopylae:/tmp/gpg$ gpg --edit --expert 0xE6602099
Secret key is available.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   2  signed:   2  trust: 2-, 0q, 0n, 0m, 0f, 0u
pub  4096R/0xE6602099  created: 2009-08-30  expires: never       usage: C   
                       trust: ultimate      validity: ultimate
[ultimate] (8)  James Patrick Howard, II (GSWoT:US72) <howardjp@gswot.org>
[ revoked] (9)  [jpeg image of size 18245]
[ultimate] (10)  James Patrick Howard, II <howardjp@miamialum.org>
[ultimate] (11)  [jpeg image of size 44219]

Command> quit

And you’re done!

Identity assurance systems are surprisingly interesting. Two, which work in basically the same way, are CAcert and the Thawte Web of Trust. In each system, a person can register for a free account through the web and is then required to obtain points from assurers. Assurers work as volunteers, though some may charge small fees for their work.  Many assurers are certified to grant points within both systems.

Assurers will meet with a person, and request to see photographic identification, such as a passport, and is required to document what type of identification is presented. The assurer may assign up to 35 points to the person met based on their own seniority in the system and satisfaction with proof of identity.

Once a person has collected at least 50 points, either system will issue them a signed X.509 certificate the person can use for S/MIME email or certificate-based logins, that includes their name and email address. If a person can collect 100 points, they may themselves become an assurer within the system The requirements for multiple assurers’ certification prevents a single rogue assurer from poisoning the well of certificates issued by the system. At least two assurers are necessary. In these respects, both CAcert’s and Thawte’s systems are identical.

There are several differences worth noting.  First, Thawte certificates are widely accepted by the default configuration on desktop PCs.  However, CAcert certificates are not widely accepted and will only be accepted if the user has installed CAcert’s root certificates.  CAcert is aware of this and pushing for inclusion in more software.  CAcert also issues website SSL certificates for servers, and code signing certificates for applications developers.

Additionally, CAcert offers PGP key signatures for verified email addresses from the CAcert PGP key.  CAcert’s PGP certifications are available to users with at least 50 assurance points.

Last month, Thawte announced the termination of their service and offered users a free one year certificate through Verisign.  The service no longer accepts new enrollments.

The above was written primarily before Thawte’s announcement.

Below is a highly abbreviated output of gpg --list-sigs for my public key, 0xE6602099, specifically the output for user identity jh@jameshoward.us:

pub   4096R/E6602099 2009-08-30
uid                  James Patrick Howard, II <jh@jameshoward.us>
sig 2      1 3C4A1809 2009-09-02  GSWoT - Gossamer Spider Web of Trust
sig 3      1 6126D1F5 2009-08-30  James Patrick Howard, II
sig     P    65D0FD58 2009-08-30  CA Cert Signing Authority (Root CA) 
sig       X  CA57AD7C 2009-09-03  PGP Global Directory Verification Key
sig       X  CA57AD7C 2009-09-16  PGP Global Directory Verification Key
sig 3        E6602099 2009-08-30  James Patrick Howard, II

One signature worth noting is the self signature from 0x6126D1F5.  This offers users of my public key assurance that I approve of tying this user identity, including the email address, to me.  Two others, from 0x3C4A1809 and 0x65D0FD58 are the root keys for the Gossamer Spider Web of Trust and CAcert, respectively.

But also included are three signatures from 0xCA57AD7C, the PGP Global Directory Verification Key.  PGP Corporation runs a unique keyserver, that unlike others, does not retain historical data.  The server will send an verification message to each email address on the key.  Once an address is verified, the Global Directory records this for future use.  When downloading a key later, any verified address is signed at download time by the PGP Global Directory Verification Key.

The unique aspect of this is the short time to live for these certifications.  Signatures from the Global Directory are set to expire two weeks after creation, though they will be recreated the next time the key is fetched.  As a result, some keys in the wild have numerous PGP Global Directory Verification Key signatures embedded.  For instance, the most recent copy of the CAcert key above has 114 certifications from the PGP Global Directory included.

PGP acknowledges this method of verification has limitations. But for a first level identity check, especially when the email address is known and available, this method can provide a quick and dirty check for a valid key.

This is a new blog dedicated to OpenPGP and related topics.  OpenPGP, itself, is a standard for encrypting and signing digital data.  Some of the related issues might include identity management, X.509, and even social media.

I started this because so much of the material surrounding OpenPGP is so poorly documented.  While several books exist, they do not provide much insight into the nuances of signing data and none provide a lot of resources for those interested in more than encrypting a few emails.

This blog will cover a lot of topics from key generation and types to certificate authorities and probably some other interesting things coming over the horizon.  Posts will probably run about once a week, usually on Tuesdays.