Why I Digitally Sign My E-Mail

Posted on and updated on 5 minute read

Most e-mail messages I send are digitally signed using a process called “Pretty Good Privacy”, or PGP. In e-mail applications that don’t understand PGP, this digital signature will show up either as an attachment called “PGP.sig” or as a part of the message starting with “BEGIN PGP SIGNATURE” at the bottom of the e-mail. This file – containing gibberish to the human eye – is used by PGP-aware programs to verify that the message actually came from me. If you are using PGP, I could also sent you a message that only you could read (e.g. “encrypted”). This page gives some background on PGP and why I consider it important.

Background on PGP

PGP was created in 1991 as a mechanism to “sign” (verify the integrity) or “encrypt” (obscure from view) messages and files. The process is based on some very complicated mathematics that won’t be explained here, but it does involve “keys” that come in two parts. These two keys are strings of numbers that are mathematically linked; a message transformed by one part can only be undone by the other part. In PGP, one part of the key is declared to be public – published to the world – and the other part kept private. This public/private nature is why this technique is part of a class of computer algorithms called “Public-key cryptography”.

My messages are signed with my private key, which is protected by a long and secure password. At any point now or in the future, you could take my message with the PGP.sig file, run it through a PGP program (such as the free GnuPG suite of tools) along with my published public key (see below) and verify that I am the person that sent the message. Normal e-mail doesn’t give you that kind of assurance; the scourge of spam and phishing ((“Phishing” is a term used to describe techniques used by scammers to try to convince you to give up passwords or other personal information.)) is a demonstration of the problem that you can’t trust that any average e-mail comes from your relatives or from your bank. By contrast, a verified digitally signed message can give you strong evidence that the message actually came from me.

The Web of Trust

One of the attractive features of PGP its “web of trust”. Within my keyring, I can store the fact that I verified someone as the holder of a particular public key. Then, when I receive signed or encrypted messages using the private half of that key, the system will remind me that I verified the owner of that key.

I can also publish the fact that I verified the ownership of someone’s public key. In doing so, I’m telling the world that I have matched a human with a public key and that you can trust it, too. If you believe my verification of that person’s public key, then you too can trust messages signed and encrypted by that key as well. And even if you don’t trust me completely, you might see that three other people have verified the owner of the public key and the combination of the four of us would be enough to convince you of the ownership of that public key – even if you have never met the person. That is the web of trust, and it is popular in software development circles to trust the people submitting patches to code. (For example, the Debian keyring.)

This mechanism for creating trust between individuals is a bottom-up, grass-roots scheme. It relies on one-on-one interactions to extend trust to other individuals. Contrast this with a top-down scheme like SSL that encrypts connections in our web browser ((SSL is an earlier form of the standard now called Transport Layer Security, or TLS.)). SSL, as commonly implemented, requires a central Certificate Authority to issue a key that is trusted by our web browsers. Our browsers trace the authenticity of the server key to the Certificate Authority key to validate the identify of the web server.

By analogy, another top-down scheme are driver’s licenses. They are issued by a central authority (a state), and as long as you trust the process by which the state issues licenses, you can trust the identity of the person holding the license. A bottom-up analogy might be our human capability of recognizing faces. If I see someone in our office meeting with people that I know work for my organization, I have some confidence that person works for my organization as well.

The web-of-trust gets stronger when more people verify each others public keys. So, needless to say, I’m always looking for people to sign my keys (verify my identity) and am willing to sign the keys of others. Side note: Going to ALA Midwinter in Boston? In addition to exchanging our own signatures, there are a number of people in Boston who are open to key signing exchanges as well. Perhaps a number of us could make an event out of running around the city together…

This Sounds Good. Why Isn’t It Used More?

Well, generating PGP keys, managing them, and adding the PGP capability to mail programs that don’t have it natively is hard. The process is quite geeky, the errors are cryptic, and the documentation is sparse. The raw technology is there, but it isn’t in a usable form yet.

I don’t know if it will get to a usable form, but I hope so. By using public key signatures on almost all of my messages and by posting this message, I’m hoping to generate awareness and understanding of public key cryptography in general and the PGP technique in particular. At least a little part of my corner of the universe will be aware of it, and given the bottom-up, grass-roots nature of the PGP web-of-trust, perhaps that is a good enough start. If you have questions about PGP and/or run into stumbling blocks try to use it, get in touch with me and I’ll help the best I am able.

My Keys

I have two keys – one that I use for professional use and one that I use for personal use. By publishing them here and elsewhere, I’m declaring openly that these are my keys.

  • Peter Murray – Professional Key ID: 2048D/877838CF Fingerprint: B021 8300 6844 E459 A18E 83CF 4C7A 6A28 8778 38CF) Created: 2-Jan-2010; Expires: 5-Feb-2015 Public key as known by keyserver pgp.mit.edu (ASCII-armored version)
  • Peter Murray – Personal Key ID: 2048D/4637F6A1 Fingerprint: 5781 5786 7D66 D33B 0F54 D9DE 5820 0CEE 4637 F6A1) Created: 2-Jan-2010; Expires: 5-Feb-2015 Public key as known by keyserver pgp.mit.edu (ASCII-armored version)

In another DLTJ post, I listed details on how these keys were created.

More Information

Looking for more reasons why PGP is important? Read PGP-creator Phil Zimmermann’s “Why do you need PGP?