Monday, 4 March 2013

PGP signed email

Obviously, we know Randall is being sarcastic here, really...

But, specially for my friends that do get emails from me that start like that, you may want to know what this is about.

PGP (Pretty Good Privacy) is a standard way to both sign and encrypt emails and other things. You don't have to understand the computing and mathematics behind it, just rest assured that there are people that do.

Signing a message means adding an extra bit to the message (the big block of jumbled characters at the bottom) which can be used to check the signature of the message. This is not really for you to read, but for your mail client to check for you. If you have PGP installed then your mail client will normally hide all this and provide an nice green tick or some such to indicate all is well, or maybe a big red X if it is not right. You can't manually check it. The block of characters is different every time and for every message. If even one character in the message had been changed (e.g. changing "now" to "not" which could radically change the meaning) then the signature would not match correctly. But the signature does not just check that the message is intact but also who signed it. This relies on keys and you will have keys for people you know and trust, otherwise you may see a "good signature from untrusted key" type message. There are ways to check that the key is really who it claims to be, and in my case my business cards even have a key fingerprint on them which you can use to check the key is mine. One could get in to long debates on the meaning of identity at this point, but lets not :-)

In short, to check the signature, you have to have the right software on your computer (in the mail client, normally) and you have to have the senders key and trust it to be from the real sender. If you start using PGP a bit you'll soon get the hang of it.

When I send a signed email I have to use a pass phrase to confirm it is really me. This is somewhat more secure than a signature on a paper document.

Encryption is a different matter, and some people get confused and think that a signed email is somehow encrypted. The only way I could send you and encrypted email is if I have your public key which I then use to scramble the email in such a way that only you can read it. You have the other half of the key and usually a pass phrase (a long password which is usually some sort of sentence) which unlocks the key and allows the email to be read. Again, you have to have the right software on your computer to do this, and you have to have your key, and your pass phrase, and I have to have used the right key to send the email to you.

So, obviously, don't just do what Randall says here - install PGP on your email client. Check signatures properly. Sign emails if you want. We live in a world of both spooks and data thieves, so taking some precautions may even be sensible.


  1. Of course don't lose your keys or passphrase if the law asks. Claiming you forgot is not a valid excuse.

    1. I think it is a valid excuse, to be honest. I have a feeling you somehow have to prove it though. Anyone know enough about RIPA to answer that?

    2. How do you prove you have crap memory?

    3. What was the question again?

    4. One way would be to say something very specific at the start of the hearing and when you are trying to prove people are able to forget things, ask the prosecution to repeat what you said... But who knows if that would work. I am sure there are research papers on memory studies that can be used, and expert witnesses, and so on.

  2. I use S/MIME rather than PGP/GPG these days; it's more widely supported.