PGP in Hawaii

If you are one of the ten people in Hawaii using PGP to authenticate or encrypt e-mail messages, you should know that there will be a PGP key signing event on Thursday. Come down to Likelike Drive Inn on Keeaumoku St. at 7 p.m., and bring your PGP key ID and fingerprint and a couple of government-issued forms of identification (at least one with a photo). We’ll meet up, prove that we are who we say we are, sign keys and talk story.

If you don’t use PGP, and that would be most of you, don’t worry. PGP, or “Pretty Good Privacy,” isn’t the easiest thing to understand or use. I consider myself a geek, and still get a headache trying to keep it all straight. It’s complicated. Which is too bad, because PGP is a fantastic tool. And today, more than ever, privacy is something we have to work hard to protect.

If you’re curious, and think you might want to give PGP a try, read on. Coming down on Thursday could give you a pretty good head start into the world of cryptography, digital signatures, and the “Web of Trust.”

PGP was written by Phil Zimmerman in 1991. His big-picture essay on why he created the tool is worth a read. “There’s nothing wrong with asserting your privacy,” he noted. “Privacy is as apple-pie as the Constitution.”

With PGP, you could encrypt information, easily scrambling it beyond the capabilities of most systems to decode without the proper key, and authenticate communications, or basically prove beyond a reasonable doubt that a message was written by the person who signed it. Keys and signatures are therefore key pieces of the PGP system.

Now, there are plenty of systems that offer encryption and digital signatures (or certificates). Companies like Thawte and Verisign offer them, usually to businesses. A company signs up with the service, and the service verifies to others that their information is legit. The key differences between these services and PGP are that PGP is free, and PGP has no centralized authority.

Instead of one company issuing keys, you make your own. You give away a public key so other people can send stuff to you and check stuff they receive from you. You keep a private key to decrypt, or unscramble, stuff sent to you, and to digitally sign the stuff you send.

The trustworthiness of a correspondent isn’t verified by an outside party. Users individually and as a community determine authenticity, building a “Web of Trust” that’s independent, organic, and infinite. You don’t ask a certain company whether you can trust someone. You check whether other users have signaled their trust with their own signature.

Now, a new PGP user will likely have only a few signatures from other users, if any, on his key. A PGP guru will probably have dozens of signatures. You might assume information signed or encrypted by the guru is more trustworthy. But if you know none of the people who have signed the guru’s key, but deeply trust the one person who signed the newbie user’s key, the opposite may be true.

As I mentioned, though, it’s often not easy to find other PGP users to sign your key. I’ve had my public key online for years, and in that time it’s been used maybe two dozen times (usually as others try PGP for the first time), and it’s been signed by only a handful of people in one-on-one arrangements (most recently at a Flickr gathering).

That’s where the keysigning party comes in. The idea is to basically bring several PGP users together in one place, where everyone checks everyone else’s identification and PGP keys, then signs everyone’s else’s keys. Provided everyone checks out, of course. This way, in one geeky evening, you can have your key strengthened in the “Web of Trust,” the nebulous but powerful network of privacy conscious PGP users.

You can find out a lot more about PGP at Wikipedia, which touches on both philosophical and technical aspects of the tool. But the “why” of PGP is a lot simpler to process than the “how.” You’ll definitely want to focus on the “private key” and “public key” parts of the system. Getting started with PGP should be easier, but trust me, it’s not impossible.

Want to assert your right to privacy with PGP?

• The Easy But Expensive Way: Buy the corporate edition of PGP from PGP Corp., or direct from Phil Zimmerman. It’s $99 for PGP Desktop for Mac or Windows, but you get a clean, well documented user interface to a program that works out of the box with Outlook, Apple Mail, and basically most major e-mail (and instant messaging) clients. This is what I use. Though it goes against my hippie geek principles, ultimately I decided $99 is worth saving myself hours of configuring, tweaking, and hacking.
• The Free But Trickier Way: The PGP system is open and free, so you don’t have to pay for a fancy GUI if you don’t want to. Most real geeks use GnuPG (or GPG) in conjunction with separate add-ons to connect it to mail clients. Mac users could use GnuPG with GPGMail to use PGP with Apple’s Mail program. Windows users could combine Mozilla’s free Thunderbird e-mail client with the Enigmail plug-in. Lifehacker explains how.

I’d love to see more PGP use in Hawaii. If you’re curious but hesitant, or if you’re trying but get stymied, feel free to contact me. And no, you don’t have to encrypt your questions with my public key… unless you want to!