A useful feature of this blog, at least for me, is getting me to do the things I should be doing. I’d let my GPG software slip to the point that it didn’t work with my current version of Thunderbird. This past weekend I got it back up to date. Since my PGP key was five years old and not strong enough by current standards, I revoked it and created a new key.
At the same time, I updated my Enigmail add-on for Thunderbird, which is what lets it encrypt and sign messages and decrypt and verify incoming ones. From now on, I’ll sign many of my messages. You’ll need to have some kind of PGP / GPG software on your end to verify the signatures; if you don’t, you’ll just see some meaningless-looking characters at the end, so it’s harmless.
People occasionally ask why I should bother. After all, my normal communication really is from me. Why would people think it’s from anyone else? But forgeries are common on the Internet. Crooks hijack address books for sleazy aims. Sometimes it’s the “You gotta see this!” email with a link to a malware site. Sometimes it’s the “I’m stuck in Timbuktu with no money!” scam. Recently a stalker broke into two UK filk archive accounts to spread a false report that I was dead. Being able to send a message to warn people that it’s an impersonation is valuable.
Even if you don’t care about signing your own messages, you should have the ability to check signed messages. If you receive one, you’ll be able to check its authenticity. (Anyone can send a message that looks signed.) And, of course, you’ll have the ability to send encrypted messages if the need arises, or just for practice.
GnuPG.org has several guides on using the software.
There was a time when people held certificate signing parties at science fiction cons. The enthusiasm has mostly gone away. It should come back.