Most e-mail messages I send are digitally signed using a process called “Pretty Good Privacy“, or PGP. In e-mail applications that don’t understand PGP, this digital signature will show up either as an attachment called “PGP.sig” or as a part of the message starting with “BEGIN PGP SIGNATURE” at the bottom of the e-mail. This file — containing gibberish to the human eye — is used by PGP-aware programs to verify that the message actually came from me. If you are using PGP, I could also sent you a message that only you could read (e.g. “encrypted”). This page gives some background on PGP and why I consider it important.
It is the start of a new year1, and it seems like a good time to update my public encryption key. My previous one — created in 2004 — is both a little weaker, cryptographically speaking, than the ones newly created (1024-bit versus 2048-bit) and also an uncomfortable mixing of my professional and personal lives. For my previous key, I attached all of my professional and personal user ids (e.g. e-mail addresses) to the same key. This time I decided to split my work-related user ids from my other ones. My reasoning for the split is that I might be compelled by my employer to turn over my private key to decrypt messages and files sent in the course of my work. If my personal user ids are also attached to that private key, my employer (and who ever else got ahold of that key), would be able to decrypt my personal messages and files as well. That is not necessarily a good thing. So my solution was to create two keys and cross-sign them. I’ve outlined the process below.
These keys are part of a computer standard and software algorithm called “Pretty Good Privacy“, or PGP. If you are interested in more of a background about PGP, see a companion post on why I digitally sign my e-mail.
- Some have even said it is the start of a new decade, but of course that isn’t true. We won’t start a new decade until 2011, just like we didn’t actually start a new millennium until 2001. [↩]