Ask Slashdot: How Do I Request Someone To Send Me a Public Key?

First time accepted submitter extraqwert writes "An organization wants me to send them my personal data by email. I certainly do trust them. However, I would like to politely ask them to send me their public key for encryption. The secretary probably does not know what it is. But they do have a pretty good IT department, so they can figure out. My question is, what is the proper wording for such a request? What is the right terminology to use? Should I say ``please send me your RSA key''? ``Public key''? ``PGP key''? Is there a standard and reasonable wording for such a request? (On my end, I am using GNU PGP: http://www.gnupg.org/ ) Any suggestions on how to be polite in this case?"

Re: This is why encryption isn't popular

[shitzu]

Just as information - in Estonia we have national id cards which have PKCS11 for digital signing and encryption. Everyone already has a key that can be used to encrypt and/or sign data. For instance, the state sends speedcam fines to you via email that are encrypted to your public key and digitally signed by a police officer. Any person can encrypt data to any other person's public key provided that the recipient has an id card with valid certificates. The only caveat is that when the id card expires, the data is unencryptable because new certificates are generated in the new card and then signed by CA.

Re: This is why encryption isn't popular

[Bert64]

Well not in the case given, where you are using the key in order to communicate with the government (eg speeding tickets).

Banks should really do this, supply their customers with keys (store them on the cards that banks already give to customers) and then all electronic communication to/from the bank is verified using these keys. Should cut down on most of the phishing scams targeting banks.

Re: This is why encryption isn't popular

[Let's+All+Be+Chinese]

Simpler, yes. Desirable, no. It easily means that everything you do in any context is now easily linked. A state-mandated and -enforced real name policy. This is problematic for the same reasons that facebook or google forcing this on everyone is problematic. There are serious privacy problems with this.

For example, simply knowing what key a message is encrypted to --and this is generally listed on the outside of a message and thus public-- means that you can do traffic analysis. And so you know which parties are talking to which other parties. Someone getting a lot of messages from the taxman or the state-run fine collector means what, do you think? Or maybe a bank you're trying to get a loan from saw your message stream and now knows that you're also talking to a few other banks, or repo men, or what-have-you. Hmmm.... So even with confidentiality of the contents, you're still leaking information.

As such, this sort of card is only half the solution, especially since the state mandates that you have to use it, and it is so easy. What we really need is a single system that would support a single card (or multiple cards, if you'd like) with multiple identities.

I don't strictly mean birth certificate-backed identities, but at least so that you can separate out the loyalty cards and bus passes so that they can sit on the same card yet not tattle on each other. Because each such a card is an "identity" too, carrying a history, and I for one do not want them to be state-enforced on the same identity. In fact, this is the same reason why companies cannot be allowed to gather SSNs without clear law-prescribed purpose, and curiously, that is enshrined in law. Bit of an oversight that this is not.

No, simply saying "you can't mix that information!" is not enough, because it's unenforcable. You need a system where the holder of the identities can control who gets to see what. If the card doesn't support that, it is deficient, and a danger to its holder.

Re:This is why encryption isn't popular

[Lonewolf666]

Encrypted attachment. The mail body only contains the hint that the real data are in the attachment.

Of course, that won't help you if the recipient is not familiar with using encryption at all...

Re:Extensions needed!

[AlphaWolf_HK]

Or perhaps we ought to just take email back to the drawing board. Something I've pondered is an "email 2" where encryption is required. In addition, to kill email spam, any server that sends out email could be required to have a DNS record identifying it as an established SMTP server, and all POP3/IMAP servers only trust them instead of just accepting emails from any IP address that probably belongs to grandma's compromised PC. Of course, reverse arpa addresses are considered invalid.

Webmail providers could do something akin to mega.co.nz style vault access, and only the user's password could decrypt the messages they receive. Something to the effect of having the user store the RSA keys on a key fob (or otherwise just keeping them local) and when they log in they decrypt the messages, and then re-encrypt using their vault key and store them on the server.

Email 2 addresses could be identified by adding say a greater than sign after the @, indicating to the software stack that only secure transmission is permitted, say email2user@>domain.com

That should also take care of your NSA problem, though companies like google would never be on board since they can't keyword match ads to messages.

Re: This is why encryption isn't popular

[shitzu]

Yup. That's pretty much the case, as i said. You lose the encrypted documents. Generally people don't use it to encrypt day-to-day communitcations. Many people here confuse security and privacy (especially from the government). While our id card system is extremely good and easy for security, its no good for privacy from the governement.

  If i exchanged documents with someone that i want to hide from big brother, i would use PGP. But for legal communications with other individuals or businesses or government, i use the id card system.

Re:This is why encryption isn't popular

[hairyfeet]

Uhhh...did you read my post or just see the words "X86" and automatically think of a PC? What I thought I had made clear was the much lower power usage of the new chips by AMD and Intel is gonna lead to them both being used in the places that ARM is used today such as tablets and phones. If you want to get a taste or if any devs want to try AMD already has a prototyping board out that is 4 inches by 4 inches for $199.

And this isn't even the latest and greatest, the new APU they just released a few weeks ago uses less than 3w under typical loads and that is for a dual core like this with a Radeon GPU that does 1080P and I bet even plays a lot of games, I know on my nearly 4 year old Bobcat dual i play the Portal series, L4D and GTA:VC (it would probably play the others but I don't have them) and there are plenty of videos of guys playing even more hardcore games like Crysis on them and getting 30FPS with reduced bling.

So you seem to be confused friend, nobody is gonna make you go back to a PC if you don't want to, you are simply gonna be able to have the power of the PC in your pocket. Once Intel and AMD phones and tablets start hitting en masse I'm sure that all your favorite phone apps will be ported, after all its the form factor not the arch that makes the app work, you'll just be able to do a HELL of a lot more with your mobile devices thanks to the insane lead X86 has when it comes to IPC. Hell Intel has said both the new Atom and the new CULV mobile chips will have "reduced function" mode which is where the majority of the chip shuts completely down but its still able to do basic tasks, like say listen to music or receive messages.

I'm telling you all you have to do is look at the benches to see the writing is on the wall for ARM as their latest and greatest can't beat a first gen Core Solo or Athlon 64 and those are 6+ year old chips, you compare the best ARM has to offer against the weakest AMD and Intel offers today and its no contest, the X86 units just curbstomp ARM when it comes to the amount of useful work per cycle. Will ARM die? No but most likely it'll go back to the original use before the ARM craze took off, being embedded controllers in everything from MP3 players to kiosks.