[If you already use PGP, skip right to my public key.]
If you've received email from me and you don't use PGP, you've probably noticed either an attachment of type 'application/pgp-signature' or a little bit of gibberish at the top and bottom of my messages. That's a PGP "signature"--which can be used to verify that I, indeed, wrote the message and that it was not tampered with along the way from me to you.
PGP, for "Pretty Good Privacy", uses public-private key encryption as a means to secure email, be sure of its author, or both. It's like putting an envelope and a wax seal around your email. Unencrypted email, like a postcard sent without an envelope, can be read (and modified) by any number of parties along its way to its recipient. A message encrypted and signed with PGP can only be read by its intended recipient, and your signature, like the imprint a custom seal makes on melted wax, authenticates you as its author.
There are two main standards for sending PGP-secured email. The
original, and still most commonly used method (generally called
PGP-inline) involves simply taking the plain-text message body,
giving it to the PGP program (in my case, gpg), and
sending that armored output as the new message body. It's simple,
and it doesn't require much to decode: the mail client (or the
user, manually) just takes the message body and gives it to PGP to
decode.
But it does have some side effects. People who don't want to be
bothered with PGP don't really like to see the
-----BEGIN PGP SIGNED MESSAGE----- stuff at the top,
or the signature gibberish at the bottom. And PGP mangles some text
to make sure nothing interferes with its operation (for example,
the standard signature separator, -- , gets replaced
with - --).
And then there's the issue of attachments. It often makes sense to encrypt, or at least sign attachments. In some ways, it's even more important that attachments are signed than the message text: nobody wants to get a virus because a legitimate attachment was replaced with a trojan horse.
So a solution was developed to use MIME and the newly defined security multipart formats. It has evolved into what we now call PGP/MIME or OpenPGP/MIME, and is defined by RFC 3156. (Curious people who know a bit about MIME and email may want to read the RFC--otherwise, you just need to know that it's a way to make PGP suitable for use with most email extensions.)
Unfortunately, not every email client supports PGP/MIME. Worse yet, there are some that only support PGP/MIME. Below is a table that should outline the support of the various clients and plugins for each format.
| PGP/MIME | PGP-inline | |
| Mozilla with Enigmime | Yes | Yes |
| Mozilla Thunderbird with Enigmime | Yes | Yes |
| Ximian Evolution | Yes | No |
| KMail | Yes * | Yes |
| Pine with pinepgp | Yes ** | Yes |
| Mutt | Yes | Yes |
| Outlook Express with WinPT | No | Yes |
| Eudora with WinPT | No | Yes |
If you mostly use a client that doesn't support PGP-inline, but you correspond occasionally with people who can't accept PGP/MIME, it it still possible to paste into and from gpg to verify or sign and encrypt messages. Please read the GNU Privacy handbook, below, for more information on how to manually sign, encrypt, and verify messages with GnuPG.
Here are some (hopefully) helpful links:
If you are currently using Outlook Express on Windows, I would highly recommend trying out Thunderbird as a replacement. Besides the convenience of Enigmail's seamless GnuPG integration with it, Thunderbird is not susceptible to the many viruses and worms that have spread because of insecurities in Microsoft's product. (The only plausible way you could get a virus from email while using Thunderbird would be to save a virus-infected attachment to somewhere on your hard disk and manually run it. Thunderbird (or Mozilla as a whole, for that matter) never automatically opens attachments--especially executable ones.)
That said, there is a plugin for Outlook Express, GPGOE, that allows you to use it with GnuPG. It's part of the WinPT project. I've not used it myself, as I don't use Windows. It doesn't seem quite as elegant as Enigmail with Mozilla/Thunderbird, but if you must use Outlook Express, this is a possible solution.
The PGP trust model works best when there is a web of trust, established by signatures on the public keys. For instance, I have examined Wesley's key fingerprint, and I know that Wesley is who he claims to be (I know him personally, but this could be checked with a picture ID). I sign his public key with my private key. Now, anyone with his key can see my signature, which indicates that I trust his key. Likewise, Wesley has signed mine.
So whenever I get a message signed from Wesley, I am sure that he actually wrote it. (If his key were compromized, he would be able to revoke it so that it would no longer be trusted.) Now, let's say Wesley has met another PGP user, and they sign each other's key as Wesley and I have. Wesley introduces me to his new friend, Joe, and Joe and I exchange keys. But since both Joe and I trust Wesley to carefully verify keys, and Wesley's signature is on both Joe's and my key, Joe and I can trust signatures from each other without actually having to sign any more keys.
(This is much better explained in Section 3 of the GNU Privacy Handbook.)
My web of trust is actually quite small, and basically only consists of a few people whose keys I have personally signed. I haven't found many PGP users in Colorado Springs (though I have converted a few). If you live in the area and you are also interested in building up a web of trust, please contact me, and we'll arrange a key signing event, however small or large. You may also take a look at my biglumber listing.
I'd love to hear from you! If you are able to import my public key, just send email to the primary address on the key.
If you do not have PGP, or are otherwise unable to import my key, you may use my contact form.
Either way, I will reply as soon as I can!