Public GPG Key for Dale E. Tronrud

det101@daletronrud.com

Many people don't realize it but it is trivially simple for anyone to send an email that claims to be from any one else. If you receive a letter that lists itself as "from" me it is very hard to determine if it is actually from me. A solution to this problem is to cryptographically sign the contents of the letter.

When this is done, a computation is performed on the text of the letter which results in a rather large number. This number is then placed in the letter. When you receive this letter you can rerun the calculation and prove that the number matches the text. This, alone, doesn't help a lot because the number could be forged as well as the text.

This is where the "cryptographic" part of the calculation comes in. Using Public Key Cryptography the number (called the "hash") is calculated using a private key that is known only to me. This hash can be verified by knowing both the text and my public key. You can verify that the key matches the text but you cannot forge a hash for some other message because you don't know my private key.

I use Thunderbird to read e-mail. If you install the EnigMail plugin, it will perform all these calculations. When the letters contents was actually sent by the person it claims to be from you will see a green indicator in Thunderbird.

I'm sure there are equivalent plugins for other e-mail reading programs. If you let me know of one I'll add a description here.

The final problem is that you need to get my public key from somewhere. Of course, if you get a fake key from someone else that person will be able to fool you into thinking they are me. Actually, I'm probably not important enough for someone to go to the trouble so this is not an realistic threat.

You can download my public key here . If you believe this is actually my web site you can trust it. If you have doubts you will have to contact me by some reliable means to get verification.