“A nearly impenetrable thicket of geekitude…”

PGP Keys

I possess several PGP/GPG key pairs. You can download a reasonably recent copy of all of them here.

Current Key Pair

My current key pair (ID 0x9A804E97D7079C77) is a standard 4096-bit RSA key pair created on 28-September-2011. Its fingerprint is:

5E6D 6EAE 16C3 DA75 450B  219C 9A80 4E97 D707 9C77

You can get hold of this key with all its signatures from the standard key servers, or download a reasonably recent copy of it as an ASCII armoured file.

Always check the fingerprint, don’t just trust the key ID.

Because a key ID is just the last few hex digits of a SHA-1 hash, it’s relatively simple for someone to generate a second PGP key with the same key ID and pretend to be me, or anyone else. In fact this happened back in 2014 for everyone’s short form (8-digit, 32-bit) key IDs. You can read more about that if you’re interested.

This page therefore shows the long form (16-digit, 64-bit) key IDs instead, but you should still only treat a key ID as a way of searching for someone’s key, not as part of verification of that key.

You can use this to send encrypted mail to me if you like, but please note that I don’t always have the appropriate software and keyring to hand, so using it may delay a response.

I also use this key pair to sign the occasional e-mail message or software package to prove that they are from me. If you are going to rely on such signatures, you should probably verify the fingerprint with me personally the first time, and/or encourage someone you already trust to do the due diligence and then sign my public key. If you’re already part of the web of trust, you may be able to find a trust path to my key using either my key’s statistics page or the following form:

Your key ID:    

I’d welcome any opportunity to improve my connectivity, so if you’re in Edinburgh, Scotland or think we’re likely to meet at some conference or other, please get in touch so that we can arrange to sign each other’s keys. My Big Lumber page gives details. Please read my key signing policy in advance and come appropriately prepared.

An alternative to the web of trust approach is the Keybase system, which provides cryptographic bindings between different identity components. My Keybase profile includes this site, my e-mail address and current PGP key.

Previous PGP Key Pair

My previous key pair (ID 0xEF40FC29EA2882BB) is a DSS/ElGamal key pair created on 30-April-2002. I have marked it as expired as of 2021-02-26.

Its fingerprint is:

C555 B169 838B 1E93 6F1C 397A EF40 FC29 EA28 82BB

You can get hold of this key with all its signatures from the standard key servers, or download a reasonably recent copy of it as an ASCII armoured file.

I’m no longer soliciting signatures for this key pair, and I no longer use it either to sign messages or other public keys. The main reason for its continued existence is to keep me connected to the strong set while I gather signatures on my current key.

Revoked PGP Key Pair

My original key pair was a 1024-bit RSA key pair (ID 0x4CE47DAFB566E329) dating back to December 1993. I don’t regard that as a secure key size any more, so I have revoked this key to prevent it being used.