(If you already know about PGP and/or GnuPG, please take a look at my key signing policy and exceptions.)
The internet in general is an insecure medium for communication by which only completely non-sensitive information should pass without some form of encryption.
I use GNU Privacy Guard (aka GnuPG or GPG), which allows me to encrypt, decrypt, cryptographically sign, and verify others' signatures on messages to and from other users of GnuPG or other OpenPGP-compatible programs. If you're a GNU user and have never heard of this, The GNU Privacy Handbook is recommended reading. Windows and Mac users can use GPG, too, but the process is a bit less intuitive; refer to gnupg.org if you're curious.
My public key is posted for your convenience, and here is what its fingerprint data should look like:
pub: 1024D/7885DAFC 2006-07-25
fpr: A0E6 3851 9ABB 112E 7303
DD91 7A2E 91FB 7885 DAFC
uid: Peter S. May <email@example.com>
uid: Peter S. May <firstname.lastname@example.org>
You must not trust the key data posted here without taking precautions. After all, what if my site's been hacked and someone posts bogus key data? If that were to happen, and you blindly used the keys from this site to encrypt a message to me, the attacker is who gets to read it.
Don't be tempted to dismiss this as paranoia. Firstly, it is entirely within the realm of possibility. (Dreamhost's low rates unfortunately don't buy you a lot of security.) Secondly, if you automatically believe whatever is posted on this site as the truth, all the crypto in the world won't help you, so don't bother with it.
Besides, verifying that my public key is actually mine is fairly simple.
- If you meet up with me in person, I typically carry a hard copy of my key fingerprint and at least a driver's license. So, here's what you do:
Keep in mind that if you ask for this information I'm liable to ask the same of you. Checking your key data in this way helps me verify that any signed e-mails you send me actually came from you and allows me to encrypt any reply I might have. I believe that any serious user of OpenPGP-based privacy should carry around a copy of his or her fingerprint and a photo ID, just in case. (A business card/personal calling card is a good place for this information.)
- Ask for a copy of my key fingerprint (it'll probably be on my personal calling card).
- Ask to see my photo ID.
- Verify that the face on the photo ID is my face (to make sure the photo ID really belongs to me).
- Verify that the name from the user ID on my key is the same as the name on my photo ID (to make sure that the key itself belongs to the owner of the photo ID, which we've established is me). If my key's user ID isn't with the hard copy of the fingerprint, write it down so you can verify it later.
- Later, when you're on your own computer, import my key (download it from above or locate it on a keyserver).
- Verify that the fingerprint and user ID data you just imported is a match for what you got on paper when we met in person.
- If, in your opinion, it's a satisfactory match, I would appreciate your signing my public key and sending the signed copy to me (and to your favorite keyservers if you so desire).
- If there's no way for us to meet in person, that's where something called the web of trust comes in. Instead of verifying my key in person, you get others whose keys you have verified (or can verify) to verify and sign my key. You can then set your OpenPGP software to calculate the trust based on their signatures on my key, plus your trust in their ability to verify my identity in the first place. It's an interesting setup, and one that doesn't involve putting ultimate trust in some central authority—or paying big bucks to that authority to sign your key. (If you ask me, the complexity of managing certificate authorities is what makes OpenPGP so much more attractive than, say, S/MIME in non-corporate environments. As for corporate environments, all you have to do is designate some signing key as an authority key and sign all the keys in your enterprise with it, and suddenly the web of trust is also able to operate in the same way as a CA-based system. Interesting concept, no?) Anyway, it's generally okay to establish trust in my key using the web of trust idea; still, you shouldn't actually sign my key without verifying it in person.
You're welcome to mail me about any questions or curiosities you might have on the subject.