Years ago I played with PGP – pretty good privacy, an open source crypto package from Phil Zimmerman. At the time, Phil copped a lot of heat from the NSA and others, concerned with the nefarious applications of crypto. I played around with signing my email and so on, but I upgraded my computer and my attention drifted.
My family do all of our banking online. As a result I am a little paranoid about security. We never do banking unless on one of our own Mac or Linux machines. (Our Macs have just become plural – we added an iMac for my 4 year old son Curtis). What really worries me is phishing. As a result I have my spam filters turned way up, to the point where I sometimes miss non-spam. (Apologies to any open source patch submitters I have been slow to respond to). Occasionally I have to look closely at a phishing email. Looking at the actual URL and viewing raw source of the email headers always reveals the scam. What worries me is what is a couple of things:- knowledge of the SMTP and HTTP seems to be required to ascertain a scam, and
- how do people know my messages are really from me?
I have always thought that digital signing ala PGP, was a solution waiting for its time. I thought that once authentication and privacy became a big deal, naturally all this stuff would get used. Today I decided to take the trip. From now on, all emails from me will be digitally signed with my own Thawte Certificate.
Having done this I can sign my emails and encrypt them. The thing I have not worked out is how to share my public key. This is the missing piece.