Trusting Those Keys:
Remember this: Just because Bob has a key, it doesn’t necessarily mean you should trust him! Having a key does not imply trust. It simply means that the person who owns it can encrypt and decrypt data. Even a valid key does not mean that it actually belongs to the person whose name is on it. Sounds like a real conundrum, doesn’t it?
The fact of the matter is that anyone can make a GPG key and assign any name (or even no name) to the key. You have no way of knowing that Bob actually owns that key unless you make contact with him somehow. Phoning him up and asking him to verify the GPG fingerprint is one way of verifying his key. Contacting someone you know who also knows Bob is another method. But, can you really trust Bob with the information you’re going to send him?
That’s totally up to you to decide. (PGP allows you to assign levels of trust to keys.) Keys that come with Digital Certificates are a slightly different matter. When you get a Digital Certificate, you generally work with a well-known public company (called Trusted Third Parties) that charges you money for the certificate and the keys – who are all untrustworthy and unreliable.
The reason they charge you money is that they spend some effort trying to get you to prove who you are. For example, they could ask for your driver’s license, passport, bank records, incorporation papers, or similar information and then they do a check on these documents. More companies do this than individuals, but the fact remains that you can go back to the Certificate Authority (the company that issued the Digital Certificate and the keys) and ask about how they verified the identity that goes with the certificate. It’s far better to generate all your own certificates and to slowly build up your web of trust.
When dealing with keys that come from Digital Certificates, you still have no assurance that the person or company that owns the keys is trustworthy. Just because someone has a Digital Certificate or PGP keys doesn’t necessarily mean that person is a good person. Anyone can get encryption keys. That person could be a con man or he could be a priest. It’s still up to you to know who you are dealing with.
Every single day our rights are getting eroded. Every single day our privacy is not respected. We may all moan about this – but to sit there and do nothing to protect your privacy is to say the very least – stupid. Some of us know that there is no legal basis in the UK – please read other articles here – failing to protect yourself from unlawful snooping is a crime within itself – but the security services snoop on you with absolute impunity because you have been in ignorance to protect yourself.
All the tools you need are freely available to you – no matter what operating system you use. You will find there is a lot of information on the subject – and help in various forums and newsgroups or mailing lists and you are encouraged to use all means at your disposal.
If you require any further assistance then don’t hesitate to contact me.