Digitally signed emails

Digital signatures

Did you receive an email with my digital signature? Here you can read what to do with it. For experts: here is my GnuPG public key and my PKI certificate.

What the signature may tell

The signature holds information about me as a sender and about the contents of the message. With the signature you can verify that I am really the sender of the messages and that contents of the message is not changed on its way to you (nor on your hard disk).

What the signature can NOT tell

The signature does not contain information about the time the message was created. Nor gives the signature any proof (to me) that you really did receive the message.

How I signed the message

I have used a cryptographic tool to generate the signature. This tool uses special mathematical techniques, which make it very, very unlikely that some-one else can use my signature or change my messages. These tools are part of the most common email software

What if some-one else breaks into my computer?

Theoretically, it is possible that some-one else steals the secret cryptographic keys, that I use to sign my messages. They are stored on one of my computers. Even then, it will be difficult to use them, because they are stored using a cryptographic protection.

The intrusion detection system on my computers will almost certainly signal any theft. In that case, I will revoke my cryptographic keys at the earliest occasion and announce this on the public key servers and on this web page.

How to verify the signature

This is not difficult, most email software does it automatically. To verify the signature, you need to preserve the email message in its original form, including all the attachments and the digital signature.

You also need my public key, which you can download here or from public key servers. This public key is the core of the verification. You should be really sure that this is really my public key. If you hesitate, you can call me by phone, ask me some questions to verify my identity, and ask me to read a part of this key aloud (you can use the 'fingerprint' of the key for this purpose).

You don't need to verify the signature immediately. My public key will always be available via public key servers or this website, even when I revoke it.