A Peculiar Blog

I’ve been making it a point to PGP sign all of my emails for several years now and I still get the occasional question asking why I bother.  The answer is simple really, I’m using it as a form of identity theft protection.

You see about five or six years ago I and people I know suddenly started getting spam that had my email address in the From line.  I had known for a long time that it was actually a trivial matter to spoof the from line in an email but this is when it really hit home.  Just by faking the origin of the email somebody could, if they wanted to, send literally anything they wanted to my friends & family and there wouldn’t be any real way for me to convince anyone that I didn’t send it.

Granted, family members are most likely to believe me if I tell them I didn’t send that nasty email with my address in it’s header but most people don’t tend to be as forgiving if they’re not family.

I had been using PGP occasionally to encrypt private messages but I hadn’t used it much otherwise.  This is when I instituted a policy of always signing emails that I send.  That way, if there’s ever a question of “did you send such-and-such?”, I can ask them “Does it have a valid PGP signature created with my personal key?”.  If the answer is no then I didn’t send it.

After deciding on this I let everyone know that if there was ever a question about the validity of an email appearing to be from me, all they have to do is look for and check the signature.

It insures that nobody can send something claiming to be me because they can’t duplicate my signature without my private key and the passphrase.

And no, you can’t just copy the signature block from one email and past it in another.  It doesn’t work that way.  Any PGP signature is totally unique to message it appears in.

[tags]pgp, encryption, digital signature, identity protection[/tags]