“A nearly impenetrable thicket of geekitude…”

PGP Keys

I possess several PGP/GPG key pairs. You can download a reasonably recent copy of all of them here.

Current Key Pair

My current key pair (ID 0x9A804E97D7079C77) is a standard 4096-bit RSA key pair created on 28-September-2011. Its fingerprint is:

5E6D 6EAE 16C3 DA75 450B  219C 9A80 4E97 D707 9C77

You can get hold of this key with all its signatures from a key server, or download a reasonably recent copy of it as an ASCII armoured file.

Always check the fingerprint, don’t just trust the key ID.

Because a key ID is just the last few hex digits of a SHA-1 hash, it’s relatively simple for someone to generate a second PGP key with the same key ID and pretend to be me, or anyone else. In fact this happened back in 2014 for everyone’s short form (8-digit, 32-bit) key IDs. You can read more about that if you’re interested.

This page therefore shows the long form (16-digit, 64-bit) key IDs instead, but you should still only treat a key ID as a way of searching for someone’s key, not as part of verification of that key.

You can use this to send encrypted mail to me if you like, but please note that I don’t always have the appropriate software and keyring to hand, so using it may delay a response.

I also use this key pair to sign the occasional e-mail message or software package to prove that they are from me. If you are going to rely on such signatures, you should probably verify the fingerprint with me personally the first time, and/or encourage someone you already trust to do the due diligence and then sign my public key.

Back when PGP and GPG were more popular, people used to use the web of trust and in particular its “strong set” (of which my keys are a part) to find trust paths from their keys to others. Unfortunately, most of the tools supporting this kind of analysis are, as of 2021, now defunct.

An alternative to the web of trust approach is the Keybase system, which provides cryptographic bindings between different identity components. My Keybase profile includes this site, my e-mail address and current PGP key.

Previous PGP Key Pair

My previous key pair (ID 0xEF40FC29EA2882BB) is a DSS/ElGamal key pair created on 30-April-2002. I have marked it as expired as of 2021-02-26.

Its fingerprint is:

C555 B169 838B 1E93 6F1C 397A EF40 FC29 EA28 82BB

You can get hold of this key with all its signatures from a key server, or download a reasonably recent copy of it as an ASCII armoured file.

I’m no longer soliciting signatures for this key pair, and I no longer use it either to sign messages or other public keys. The main reason for its continued existence is to keep me connected to the strong set while I gather signatures on my current key.

Revoked PGP Key Pair

My original key pair was a 1024-bit RSA key pair (ID 0x4CE47DAFB566E329) dating back to December 1993. I don’t regard that as a secure key size any more, so I have revoked this key to prevent it being used.

Recent Updates

  • 2025-01-07:
    • Added a new encryption subkey to my current key.
  • 2023-10-26:
    • Added a new signing subkey to my current key.
    • Changed external keyserver links from pgp.re (which appears to be defunct) to keyserver.ubuntu.com.
  • 2021-07-05:
    • Altered the key server referenced for copies of my key, now that sks-keyservers.net has ceased operation as of June 2021.
    • Removed references to the site covering the “strong set”, including the statistics pages and the path finder, now that pgp.cs.uu.nl has ceased operation.
    • Removed references to Big Lumber, which seems less relevant after the previous two sites went offline.