Have you ever seen those e-mails and news messages that start out with “Begin Signed PGP Message”? Have you wondered what the big deal with those messages is, and what that phrase actually means? Have you wondered how you can get into that? And, to an extent, have you wondered about getting a Digital Certificate, but can’t afford the cost? I have wondered all of this, and more. And, I started looking into it.
What I’ve found out suprised me to an extent, and made me change my habits as far as e-mail and newsgroups go. It may suprise you as well.
Before I started looking into the Signing and Encryption, I used Microsoft Outlook for all of my e-mail accounts, and Microsoft Outlook Express for my Newsgroups. I’m not a fan of Outlook Express (although there’s nothing wrong with it), so I used an add-on called FidoLook. It gave Outlook Express a few of the things that you would hear people demand in the newsgroups. I had looked into PGP-signing, but never found anything that caught my eye. Until one day, I got a signed newsgroup message. I asked for any information on getting PrivacyGuard (PGP) in Outlook, and was presented with this link http://www.g10code.com/p-outlgpg.html.
Although I wasn’t able to configure it in Outlook (because the documentation is limited on their program) I did get it configured in Mozilla Thunderbird. So, I moved my POP3 accounts over to Thunderbird, and some of my newsgroups over as well. I still use Microsoft Outlook for my MSN and Hotmail accounts, but as for the rest of it, I’m a Mozilla fan. I’ve even moved my Calendar over to Thunderbird, although one of my organizers won’t synch with it, so I’ll still end up using Outlook as well.
So, how does Open-PGP work? Well, basically it works like this. You install the software (OpenPGP) on your computer, and create keys based on your first and last name, a comment, and the e-mail address you want to sign. A public key and a private key are created. Now that you have a key, how do you sign your e-mails? If you’re using Thunderbird, you can download the Enigmail extention. If you’re using Outlook, you need to check the site that I listed above out. Other e-mail clients will use other programs or have the ability built into them.
When you create the e-mail, you have a button to sign and/or encrypt the e-mail message. If you choose to sign or encrypt it, you will be prompted for a passphrase that you used to create your keys. When you receive a signed or encrypted e-mail, you can download the sender’s public key from a “keyserver” site. You’ll want to upload your keys to the keyservers as well, so people can verify that you are the sender of your e-mails.
But, signing and encrypting e-mails involves more than just putting a key on a ‘keyserver’. You need to establish a method of Trust between yourself and the senders. To do this, you need to verify the public key with the other person, either at a ‘keysigning party’ or over the phone. Or you need to find another method of confirming that the person is who they sign that they are. The keysigning parties are the best way, because the more people who establish a Trust with you, the easier it will be to prove to others that you are the signer.
So, as you can see, I’ve made a change in how I do my e-mails. Even though I beta test some Microsoft products, if I could view my e-mails in Mozilla Thunderbird easily, I wouldn’t use Outlook at all. There are programs that claim to be able to get your hotmail and msn.com e-mails, but I’m not sure how well they work.
If you want more information on signing messages, let me know. If I don’t have the link, I’ll do what I can to find it for you. Or, simply do a google search (or whatever search engine you use) for Open PGP and GNUPrivacy Guard. That will get you started.