If you receive an email from me the chances are good that it will have an attachment named signature.asc. This contains a PGP signature, which in combination with my public key can be used to verify that I wrote the email and that it hasn't been changed since I sent it on its way.
Why do I bother and why should you care?
Anyone can send email claiming to be anyone. It's fairly straightforward to write an email assuming somebody else's address and identity. If the recipient knows to only trust a message which has a cryptographic signature certifying that it is valid, fraudulent messages can be ignored or at least confirmed. This problem is reasonably widespread, more for sending spam from reputable-sounding email addresses in the cases that I've seen so far.
In addition, almost all email is sent in plain text. Anybody who runs any computers between you and the recipient of the email can read its entire contents if they want. If you're using a cryptographic system you can also encrypt your message so that only the exact people you want can read it.
It's reasonably obvious that this crytography business is quite a good idea, so why isn't it widely used by everyday internet users? Probably because it isn't yet widely used by everyday internet users. To get in on this, you need to generate a key of your own and run some extra software to do the cryptography for you.
- Generate a key. This will have two halves -- a public key and a private key. It will also have a password. You keep the private part and the password completely secret, but you need both of them to make it work.
- Publish the public key to the world. Give it to your friends. Upload it to a public keyserver. They can use this to send you encrypted mail or to verify your email signatures.
- Sign your friends' keys to indicate that you, the holder of your key, have decided that the person who owns the other key is who they say they are. Hopefully they'll do the same for you, and this builds the "web of trust" -- if you trust your friend's key, and they trust someone else's, you can probably trust it too. If ten of your friends trust another key you can be even more certain that it's trustworthy. (It's worth knowing that there are formal requirements set down for trusting someone's key -- don't sign a stranger's key!)
What you need is GnuPG, a free and open source PGP implementation. You can download it for Windows or for Mac. Installation on Linux is as normal with your package manager. Then you need some integration for your mail client. If you're using Thunderbird try Enigmail.
It's not that hard and it's probably the most trustworthy way of verifying communications on the 'net that we have. Let's solve this chicken-and-egg problem early so we have something to fall back on if and when identity theft, fraud and spam make the current situation untenable.
My key id: 0x6F3A5B84 <http://arctanx.id.au/tk-pub-key.txt> Please feel free to use it.
One Comment
And when you have enough friends all using OpenPGP/GPG, remember to host a keysigning party!