Ask Slashdot: How Do I Request Someone To Send Me a Public Key?

First time accepted submitter extraqwert writes "An organization wants me to send them my personal data by email. I certainly do trust them. However, I would like to politely ask them to send me their public key for encryption. The secretary probably does not know what it is. But they do have a pretty good IT department, so they can figure out. My question is, what is the proper wording for such a request? What is the right terminology to use? Should I say ``please send me your RSA key''? ``Public key''? ``PGP key''? Is there a standard and reasonable wording for such a request? (On my end, I am using GNU PGP: http://www.gnupg.org/ ) Any suggestions on how to be polite in this case?"

This is why encryption isn't popular

Simple and expected processes like this need to be made truly dead simple and nearly automatic. Instead, there are a ton of different formats for keys depending on which the usage and you need to understand a significant amount about what's going on under the covers to do even these kinds of simple actions.

Incidentally, here's the answer to the question. It's anything but clear, but likely to be clearer than any answer you get here.

you are pushing shit up hill with that request

[bloodhawk]

You are better off just asking for "A secure means to submit your information" and list a few you are happy to use, Maybe they will send you a public key for secure email, maybe a secure web site or maybe they will just say if you are concerned you can get it couriered to them. If they are confused then chances are they have no system in place for dealing with the request and hence not even secure email is any good as that only protects the data in transit which they will certainly load into some HR system somewhere after it gets there anyway.

Re:just be straight up

[jamesh]

If the data is important enough to encrypt then the public key is important enough to get properly. Asking the person who answers the phones to send you the key is not properly. Even asking the IT department to send it probably isn't good enough as they are in the perfect position to give you their fake key, intercept the email, decrypt it, then re-send it with the real key to the real recipient.

If you are just worried about casual snooping of your "personal data", then just use something like 7zip and provide them with the password out-of-band.

Extensions needed!

[DrYak]

We need some developers to setup-in and develop in-browser Firefox/Chrome extensions (or userscript, or whatever) that seamlessly integrate encryption into popular webmails.

You see plain text on the screen, but what actually goes into the "textarea" of the form is encrypted.
There are already javascript "Rich Text Editors" which do similar jobs (you see a nicely formated text on the screen, but its HTML/BBCode/WikiCode going into the textarea). We simply need something similar, but for encryption and packed into the browser itself through extension mechanisms.

(Note: Proper security comes from *end to end* encryption. It's therefor mandatory that the encryption/decryption layer is something that the end users install on their browser, and not something provided by the webmail site, even if it's client-side script code. Though it would help if webmail sites provided a few hooks or micro format to simplify the plugin of the encryption layer).

Bonus point if someone else manage to do the same with OTR and webchats.