Thomas A. Fine's PGP Information

Below is my PGP public key, which is currently signed by Steve Romig (as well as by me). If you already know and trust Steve, and have his public key, then you can take the key directly from this page, and check his signature, and you will then know you really have my valid public key.

Otherwise, in order to verify that this is really my key (i.e. my web pages haven't been compromised), you will need to call me on the phone and verify my fingerprint. When doing this, do NOT get my phone number from elsewhere in my web pages, or from finger information. Instead, find the phone number for The Ohio State University's Information, and call them, and ask them for my phone number.

If you don't know how to get a fingerprint from a PGP public key, please read the manuals that came with PGP.

Note that my own signature alone doesn't verify that this key is mine, only that it hasn't been tampered with by whoever created it (i.e. someone else may have forged this, signed it, and then updated my web page for me.) So if you don't know Steve and don't have his public key, you can't trust my signature alone.

Trust and Paranoia

You might guess that if someone did break into my account and change my public key, and phone number, then they could also change this notice. This is true. However until that happens, I am at least encouraging people to think carefully about the sources of information, and whether or not those sources can be tainted.

Of course, if you are really paranoid, you'll realize that it is even possible to intercept phone calls intended for me, and still get away with a forgery. They would also have to change any publically available versions of Steve's public key too. You can see that it starts to become unlikely that someone would really go to such lengths. There comes a point where practicality takes precedence over paranoia. Ultimately this is because it is completely impossible to guarantee the identity of anyone. The best you can do is to take reasonable steps to make it highly unlikely that you've been duped.

The best way to verify my identity is to know (and trust) someone that knows me, and can vouch for me (just Steve at this point). Of course, they could always betray that trust (no guarantees, remember?). Failing that, you would hope to meet me in person, face-to-face. Of course this proves nothing. Only that someone was able to forge all the appropriate documents to match their face (and signature, if you want to carry it that far). At the very least, it is psychologically tougher to lie to someone in person than by phone or through email. And you have the benefit of knowing what they look like if it turns out they have lied to you.

You can confirm in a face-to-face meeting that this is the same person you corresponded with through email, with some sort of shared secret, but that secret could be less secret than you think. Even if the secret is safe, you've only confirmed that the stranger you are staring at is the same stranger that you exchanged email with. They could still be lying about their identity.

Makes you crazy, doesn't it? Just remember, the exact same problem existed before cyberspace, and we've gotten along pretty well. Most of the time, people are introduced to us in circumstances that make identity forgery very unlikely (e.g. mutual friend, or a co-worker verified by your employer). So don't get completely paranoid. But also don't blindly trust technology to provide guarantees that can't possibly be provided.

If you have questions, the World Wide Web Virtual Library has a good starting point on Cryptography, PGP, and Your Privacy.

Type bits/keyID    Date       User ID
pub  1024/D8E1A799 1996/02/29 Thomas A. Fine 
sig       20E76E5D   
sig       D8E1A799             Thomas A. Fine 

Version: 2.6.2


(Back) to my home page