Personal tools
You are here: Home Digital Signatures
 

Digital Signatures

Copilotco takes great interest in the safety of Internet users and strongly advocates the use of encryption and digital signatures for all data. Any data sent over public and untrusted networks (ie. the Internet) should be encrypted and/or signed. Laptops with sensitive data get lost and stolen all the time. The U.S. government has already lost thousands of laptops containing sensitive and in some cases secret/classified data. This would not be such a big deal had the data been encrypted. Copilotco has staff knowledgeable and experienced in the use of encryption and digital signatures to safeguard the integrity of your data.

If you receive an email with a small attachment that says something about pgp-signature the attachment is a digital signature. It is similar to a persons signature on the end of a real letter which helps you to verify that the email is really from who it says it is from and that it has not been altered. It conforms to Internet Standard RFC 3156. This signature was created by the GnuPG program. The digital signature is one of the most underutilized technologies today. Widespread use of digital signatures would eliminate the problems of junk email, viruses, trojan horse software which cause computer break-ins, and many other maladies that plague the modern Internet. When more than half of the billions of emails being transmitted on the Internet every day are junkmail and viruses one would think there would be more interest in a real solution.

 

Why use digital signatures?

Many Internet users do not realize that it is possible to put any name and email address they want in the From: field of an email and that an email can be changed by malicious people at many points during its travels to say something other than what the original author intended. You could very easily change your email clients configuration to use the email address of your boss and send an email to all of the staff giving them the day off. Unless they talk to the boss there is practically no way to tell it is a forgery.

In fact, the majority of emails traveling over the Internet these days are spam and viruses which almost always forge the From: address. Probably every junkmail and virus you have received was forged to be from someone else. By making it pretty much impossible to forge emails digital signatures prevent the spread of viruses, junkmail, and many other nasty things. In an ideal world any email without a verified digital signature would be thrown away because it is probably a virus or junkmail.

 

So just because it has a signature, I can trust it?

Not necessarily. In order to ensure that the email is really from who it says it is from and that the signature is legit you need to verify the signature. This requires some software like GnuPG to look at the signature, retrieve the purported senders public key from a keyserver on the Internet and verify that the message has not been modified and that the signature matches the document.

 

Sounds good, but is it hard to use digital signatures?

If your email program supports using digital signatures it is quite easy. In fact, it is all done automatically.  When you receive an email with a digital signature the signature is automatically verified and you are told if the email is legitimate. If your email program does not support digital signatures or if it does not properly display the email due to the digital signature you should contact the author of your email program and tell them to get with the times and that you want support for digital signatures. It is an Internet standard which has been around since 1996 and they really should support it by now and handle display and verification of signed messages properly.

 

How do I know that this public key/signature really is from the person whose name is on the key?

This is where the Web of Trust comes into play. Every person who uses digital signatures has a public key. But we cannot know that the name on the key really matches the human being unless someone else whom we trust vouches for that person. This is done by digitally signing that persons key using your own key. If everyone vouches for someone elses key (signs their key) we develop a large Web of Trust. If there is a connection via the Web of Trust between your key and the key of the sender who signed the message it can be guarenteed authentic. If the signature does not check out or if there is no signature the email is likely to be junk or a virus etc. The more people who vouch that your public key really is yours the more connected in the Web of Trust you are and consequently the more trusted your key and signature and thus your email is.

 

What if someone vouches for the key of a spammer or virus sender?

Then the person who vouched for the spammer or virus sender can revoke his trust of the key of the spammer causing his emails to no longer properly verify which leaves him untrusted. If this person does not do this then the people who trusted/vouched for him will revoke theirs and so on up the chain. For this reason it is very important to your reputation to only vouch for the keys of persons whom you can really trust to be who they say they are and act responsibly.

 

How many people use digital signatures and are in the Web of Trust?

As of this writing there are 24,724 keys (and thus approximately that many people using digital signatures) in the web of trust. There are also 191,586 signatures on keys vouching that the owner of the key is who they claim to be and that is their key. The latest stats can be found here.

Document Actions