GPG und ich

Warum ich GPG verwende

As I am a bit concerned about the security of the emails I sent (and get) I am using GPG to sign and possibly encrypt the messages I sent. You can download my public-GPG-key here or from pgp.uni-mainz.de or pgp.mit.edu.

My ID is C0E31F1D with the fingerprint: 46D5 6D01 D6D5 4D08 15DC 9C59 B982 CBD5 C0E3 1F1D

Please note: If you happen to get a mail from me without a GPG-signature (the attachment you can't open under Win) there is a good chance that this mail is not sent by me but possibly by a virus on another Windows-users PC. Most viruses use the addressbook of the victim not only for the recipient but also to disguise their origin. - Unless I know you are using Outlook and will have trouble reading (standard-compliant) signed emails or when I am sending (urgent) replies from my mobile.

Why you should use GPG too

If you are wondering what I am talking about: GPG and/or PGP is a technology to sign and optionally encrypt emails/files/texts/etc. I the times of the NSA/BND/whatever reading on everything, encryption should be a “must”.

It works like this:

Every user generates a key consisting of two parts, his private key and the public key. The private key is secured with a passphrase and should never be published anywhere, the public key should be published on the web and the keyservers. After doing this you can sign your emails with your private key and everyone has the possibility to verify the signatures using your public key and, if the signature is correct, knows that the mail is from the one owning the private key and was not modified on the way through the internet.

How to trust?

Of course there needs to be a way to verify that a private key belongs to the person claiming to be. This is done via trusting and key-signing. If one signs the public key of somebody, he verifies (visible for the whole net) that the public-key belongs to the person owning the private key and that he verified the ID (via passport) of the owner.

How can I trust people in a foreign country?

You don't have to trust everyone and you don't have to trust people you don't know. But perhaps you trust someone who trusts someone who trusts the sender you are trying to verify. Or perhaps this chain of trust is longer... That is called a web of trust.

What about encryption?

If you know the keys of your recipients and have verified their keys, you can use GPG to encrypt messages. Encryption is done in a way that the message is encrypted using your private key and the recipients public key. Only the recipient can decrypt the message using his private and your public key. That way you can be sure that no one else is reading the data you sent.

More:

For more info check www.gnupg.org.