Ask Slashdot: How Do I Request Someone To Send Me a Public Key?

First time accepted submitter extraqwert writes "An organization wants me to send them my personal data by email. I certainly do trust them. However, I would like to politely ask them to send me their public key for encryption. The secretary probably does not know what it is. But they do have a pretty good IT department, so they can figure out. My question is, what is the proper wording for such a request? What is the right terminology to use? Should I say ``please send me your RSA key''? ``Public key''? ``PGP key''? Is there a standard and reasonable wording for such a request? (On my end, I am using GNU PGP: http://www.gnupg.org/ ) Any suggestions on how to be polite in this case?"

This is why encryption isn't popular

Simple and expected processes like this need to be made truly dead simple and nearly automatic. Instead, there are a ton of different formats for keys depending on which the usage and you need to understand a significant amount about what's going on under the covers to do even these kinds of simple actions.

Incidentally, here's the answer to the question. It's anything but clear, but likely to be clearer than any answer you get here.

Re: This is why encryption isn't popular

Would this mean that the gov't office that gave you the national ID card is also responsible for generating & storing your private key? If this is the case, it means the gov't has everyone's keys, and the encryption becomes meaningless. :/

Re: This is why encryption isn't popular

[michelcolman]

Well, if I were leading a country and wanted to spy on all my citizens' e-mail, giving them all an easy way to encrypt their mail using keys I provided sure seems like a great way of achieving that goal.

However, the point is that you can securely communicate personal data with the government. In that case, you are not worried about the government being able to read your mail as they are precisely the ones you are communicating with. You just worry about criminals outside of the government. Also, you can safely transmit any data that is already known by the government to any third party. Name, address, credit card numbers, etcetera.

Now, if you want to communicate with your terrorist buddies about how to blow up the Estonian Parliament, encryption with your national ID card is probably not the best idea.

(Note to NSA spies reading this: yes, I know your filter was triggered by the phrase "blow up the Estonian Parliament", sorry about that, false alarm, nothing to see here)

Re: This is why encryption isn't popular

[iluvcapra]

The private key never leaves the card

Right, and who had possession of the card before you? These sorts of schemes are perfectly fine for government communication, signing contracts, banking, whatever, but they don't provide "4th Amendment Compliant" privacy for things like personal correspondence or use within private and commercial organizations.

Re:This is why encryption isn't popular

[hairyfeet]

As the guy that fixes and sets up PCs 6 days a week I can confirm this, in fact I've only had 2 users still use download mail in the past 5 years and both were retired corporates who were used to Outlook, everybody else? Yahoo and Gmail.

So if anybody wants encrypted emails to go anywhere there really needs to be some sort of browser based encryption that can work with Yahoo and Gmail, perhaps by making a generic "here is the email" letter with the actual email as an encrypted attachment? Oh and it'll need to be install-able as an app on Android and iOS, because nothing turns folks off more than not being able to check their email on their smartphones and tablets.

Re: This is why encryption isn't popular

[obarel]

Whether or not you want to trust a card given by the government is one thing.

But if the government actively encourages people to encrypt stuff then there is greater awareness of privacy and encryption. It means that more people understand the concept of private/public keys and are more likely to generate their own keys and use them. They're also no afraid of encryption as a concept (and a question such as "how do I ask for their public key without sounding like a geek" doesn't exist). I think that's a positive thing.

Other countries actively discourage privacy - yes, you can encrypt stuff, but if you don't give us the password then you'll end up in jail and we don't have to prove a thing. And why teach the masses to encrypt? It's so much easier listening to communication in the clear, and we can even perpetuate the notion that if you encrypt your files or communication then you're clearly hiding something and you're probably a dangerous criminal/terrorist/paedophile, because normal people don't use encryption.

PGP won't help you

[MichaelSmith]

The recipient will decrypt you data and lose it or possibly misuse it. That is the risk. But by all means ask for a secure way to get the data to them.

If they need the information...

[rahvin112]

If they need the information they should have a secure way to receive it. I just refinanced, the broker had a secure site (SSL password protected file vault type interface hosted on their own servers) with a web interface that I could upload documents to.

If they don't have such a system in place already and routinely request and access peoples personal information your trust is severely misplaced.

Re:If they need the information...

[rahvin112]

It's nice you know so much about their system from a single sentence. I especially like the fact that in particular you know so much about their system that it was accessible by anyone other than the loan officer and that you are so certain a virus not only was on their system but that it could scan for SSNs, including of course from scanned documents in PDF format (in other wise a bitmap image).

Do you often speculate so egregiously about something you do not even know the anything about?

You act as if you know intimate details of their IT configuration, security procedures and even employee reliability and you don't even know who the bank was (let alone anything else).

Honestly if I have to worry about the broker (who also happened to be a bank) having employees that are going to run off with my SSN then whether or not the transmission was secure is of little importance. I might add that just because you did it hard copy the same rambling risks you listed still applied to you or do you honestly believe the paper copies you received were the only copies ever made or that those same documents in electronic format weren't stored on their servers?

you are pushing shit up hill with that request

[bloodhawk]

You are better off just asking for "A secure means to submit your information" and list a few you are happy to use, Maybe they will send you a public key for secure email, maybe a secure web site or maybe they will just say if you are concerned you can get it couriered to them. If they are confused then chances are they have no system in place for dealing with the request and hence not even secure email is any good as that only protects the data in transit which they will certainly load into some HR system somewhere after it gets there anyway.

Asking Slashdot for advice on being polite??

[bscott]

If you don't have the social skills to phrase a polite question, Slashdot is perhaps not the ideal place to go looking for advice...

Technical issues with giving anyone your private key aside (I can't think of any reason to give it out to someone no matter how much you trust them) just explaining things clearly should work for any reasonable person:

"I have no problem with you having my personal key, but I am concerned about the integrity of the data while in transit. I would appreciate it if you can supply me with a public key for your organization, then I will be able to encode my key so that only you can decode it. This will ensure that our mutual privacy won't be at risk due to using an insecure communication system such as Email. Thanks very much!" etc

Re:just be straight up

[jamesh]

If the data is important enough to encrypt then the public key is important enough to get properly. Asking the person who answers the phones to send you the key is not properly. Even asking the IT department to send it probably isn't good enough as they are in the perfect position to give you their fake key, intercept the email, decrypt it, then re-send it with the real key to the real recipient.

If you are just worried about casual snooping of your "personal data", then just use something like 7zip and provide them with the password out-of-band.

Re:IT Dept

[viperidaenz]

So now a random guy in the IT department has the data, as well as the intended recipient, who then forwards it on in plain text to the PA of the guy who wants it.

Extensions needed!

[DrYak]

We need some developers to setup-in and develop in-browser Firefox/Chrome extensions (or userscript, or whatever) that seamlessly integrate encryption into popular webmails.

You see plain text on the screen, but what actually goes into the "textarea" of the form is encrypted.
There are already javascript "Rich Text Editors" which do similar jobs (you see a nicely formated text on the screen, but its HTML/BBCode/WikiCode going into the textarea). We simply need something similar, but for encryption and packed into the browser itself through extension mechanisms.

(Note: Proper security comes from *end to end* encryption. It's therefor mandatory that the encryption/decryption layer is something that the end users install on their browser, and not something provided by the webmail site, even if it's client-side script code. Though it would help if webmail sites provided a few hooks or micro format to simplify the plugin of the encryption layer).

Bonus point if someone else manage to do the same with OTR and webchats.