But you wouldn't have to distribute your private key. As long as you explain to the consultant that private keys are meant to be private, and you distribute the public key to the public, you should be pretty safe. The headache of public key encryption in this case is that it might take the consultant a bit of time to understand that before you can send the encrypted data to the target, he must obtain the target's public key. The target should be safe with public key... if someone sends them data signed with the wrong/malicious key, the target's private key simply won't decrypt it. So the source needs to be sure that they obtained the target's public key securely--either by having it signed by a trusted authority or distributed in a trusted way (physical delivery usually).
A public key can be just that - public - without loss of security. They can send it on a postcard, or paint it on the outside of their building, or even post it on their web site. I hope you mean a SIGNED public key that is signed by a key you already trust. If the company is sending out unsigned public keys and using them, nothing would be preventing someone else from claiming they are the same company.
Slashdot Mirror
But you wouldn't have to distribute your private key. As long as you explain to the consultant that private keys are meant to be private, and you distribute the public key to the public, you should be pretty safe. The headache of public key encryption in this case is that it might take the consultant a bit of time to understand that before you can send the encrypted data to the target, he must obtain the target's public key. The target should be safe with public key... if someone sends them data signed with the wrong/malicious key, the target's private key simply won't decrypt it. So the source needs to be sure that they obtained the target's public key securely--either by having it signed by a trusted authority or distributed in a trusted way (physical delivery usually).
You work for AOL.