Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: How Do I Request Someone To Send Me a Public Key?

timothy posted about a year ago | from the use-all-caps-and-lots-of-imperatives dept.

Encryption 399

First time accepted submitter extraqwert writes "An organization wants me to send them my personal data by email. I certainly do trust them. However, I would like to politely ask them to send me their public key for encryption. The secretary probably does not know what it is. But they do have a pretty good IT department, so they can figure out. My question is, what is the proper wording for such a request? What is the right terminology to use? Should I say ``please send me your RSA key''? ``Public key''? ``PGP key''? Is there a standard and reasonable wording for such a request? (On my end, I am using GNU PGP: http://www.gnupg.org/ ) Any suggestions on how to be polite in this case?"

cancel ×

399 comments

Sorry! There are no comments related to the filter you selected.

This is why encryption isn't popular (5, Insightful)

Anonymous Coward | about a year ago | (#44528961)

Simple and expected processes like this need to be made truly dead simple and nearly automatic. Instead, there are a ton of different formats for keys depending on which the usage and you need to understand a significant amount about what's going on under the covers to do even these kinds of simple actions.

Incidentally, here's [gnupg.org] the answer to the question. It's anything but clear, but likely to be clearer than any answer you get here.

Re:This is why encryption isn't popular (5, Informative)

Octorian (14086) | about a year ago | (#44529001)

And heaven help you if you're using a web-based Email system, which basically breaks all these options. You know, like nearly all "normal" people are now doing.

Extensions needed! (5, Insightful)

DrYak (748999) | about a year ago | (#44529507)

We need some developers to setup-in and develop in-browser Firefox/Chrome extensions (or userscript, or whatever) that seamlessly integrate encryption into popular webmails.

You see plain text on the screen, but what actually goes into the "textarea" of the form is encrypted.
There are already javascript "Rich Text Editors" which do similar jobs (you see a nicely formated text on the screen, but its HTML/BBCode/WikiCode going into the textarea). We simply need something similar, but for encryption and packed into the browser itself through extension mechanisms.

(Note: Proper security comes from *end to end* encryption. It's therefor mandatory that the encryption/decryption layer is something that the end users install on their browser, and not something provided by the webmail site, even if it's client-side script code. Though it would help if webmail sites provided a few hooks or micro format to simplify the plugin of the encryption layer).

Bonus point if someone else manage to do the same with OTR and webchats.

Re: This is why encryption isn't popular (5, Interesting)

shitzu (931108) | about a year ago | (#44529209)

Just as information - in Estonia we have national id cards which have PKCS11 for digital signing and encryption. Everyone already has a key that can be used to encrypt and/or sign data. For instance, the state sends speedcam fines to you via email that are encrypted to your public key and digitally signed by a police officer. Any person can encrypt data to any other person's public key provided that the recipient has an id card with valid certificates. The only caveat is that when the id card expires, the data is unencryptable because new certificates are generated in the new card and then signed by CA.

Re: This is why encryption isn't popular (4, Insightful)

Anonymous Coward | about a year ago | (#44529339)

Would this mean that the gov't office that gave you the national ID card is also responsible for generating & storing your private key? If this is the case, it means the gov't has everyone's keys, and the encryption becomes meaningless. :/

Re: This is why encryption isn't popular (1)

Anonymous Coward | about a year ago | (#44529425)

If this is the case, it means the gov't has everyone's keys, and the encryption becomes meaningless.

The government is far from the only set of 'bad guys" out there. If this provides a straightforward way of protecting my personal data from criminals, and reducing identity theft, then I'd say it was significantly better than nothing.

Re: This is why encryption isn't popular (4, Interesting)

Bert64 (520050) | about a year ago | (#44529473)

Well not in the case given, where you are using the key in order to communicate with the government (eg speeding tickets).

Banks should really do this, supply their customers with keys (store them on the cards that banks already give to customers) and then all electronic communication to/from the bank is verified using these keys. Should cut down on most of the phishing scams targeting banks.

Re: This is why encryption isn't popular (5, Informative)

shitzu (931108) | about a year ago | (#44529585)

In Estonia these id cards are used for everything. You can log into banks, you can communicate with any state official. You can sign any contract digitally with them. You can encrypt documents to another person's public key. Etc. This is much simpler than banks and everyone giving out their own cards - i only need one.

Re: This is why encryption isn't popular (2)

we3 (546328) | about a year ago | (#44529483)

No, the key would actually be generated on the card, as it has its own cryptographic processor, and cpu. Its called a smart card.

I have no idea if they are actually doing this, as I am not estonian and am completely unfamiliar with thier ID card issuing process, but he seems to be implying that they do.

Remember, there are two ways to get a key on a smartcard. You can have it generate a key(which CAN be signed without the key leaving the card), or you can generate the key externally and then import it.

Re: This is why encryption isn't popular (0)

Anonymous Coward | about a year ago | (#44529493)

in theory, these ID cards are smartcards and keys are generated inside the card by its own processor, and cannot be extracted,

but who knows, who knows :)

Re: This is why encryption isn't popular (5, Informative)

shitzu (931108) | about a year ago | (#44529563)

The key pair is generated INSIDE the card. This is the norm with most PKCS11 cards. The private key never leaves the card, your public key is signed by state. So the state does not have your private key per se.
But that does not necessarily mean they have no means to decrypt it some other way - i don't even pretend to know that.

Re: This is why encryption isn't popular (4, Insightful)

iluvcapra (782887) | about a year ago | (#44529605)

The private key never leaves the card

Right, and who had possession of the card before you? These sorts of schemes are perfectly fine for government communication, signing contracts, banking, whatever, but they don't provide "4th Amendment Compliant" privacy for things like personal correspondence or use within private and commercial organizations.

Re: This is why encryption isn't popular (0)

Anonymous Coward | about a year ago | (#44529341)

Another caveat is that authority creating these cards has the ability to take a copy of all the private keys to themself and use it to decrypt all the encrypted messages.

Re: This is why encryption isn't popular (2)

IamTheRealMike (537420) | about a year ago | (#44529435)

Some chips have the ability to generate key material inside themselves that never leaves and requires destroying the chip to obtain. If the cards were using such a chip then even the government would not necessarily have the private key. Whether Estonia does that or not I don't know, but of all the governments I fear in the world, the government of Estonia is not one of them. I mean, please name one other government that actually encourages and makes it easy for its citizens to use strong end to end encryption?

Re: This is why encryption isn't popular (3, Insightful)

michelcolman (1208008) | about a year ago | (#44529495)

Well, if I were leading a country and wanted to spy on all my citizens' e-mail, giving them all an easy way to encrypt their mail using keys I provided sure seems like a great way of achieving that goal.

However, the point is that you can securely communicate personal data with the government. In that case, you are not worried about the government being able to read your mail as they are precisely the ones you are communicating with. You just worry about criminals outside of the government. Also, you can safely transmit any data that is already known by the government to any third party. Name, address, credit card numbers, etcetera.

Now, if you want to communicate with your terrorist buddies about how to blow up the Estonian Parliament, encryption with your national ID card is probably not the best idea.

(Note to NSA spies reading this: yes, I know your filter was triggered by the phrase "blow up the Estonian Parliament", sorry about that, false alarm, nothing to see here)

Re: This is why encryption isn't popular (3, Funny)

BlueStrat (756137) | about a year ago | (#44529551)

(Note to NSA spies reading this: yes, I know your filter was triggered by the phrase "blow up the Estonian Parliament", sorry about that, false alarm, nothing to see here)

NSA, are you actually going to fall for that old ploy? Parent post is probably a message to an Estonian sleeper-cell.

Listen, "michelcolman" (is that your code-name?) the NSA aren't your average morons!

Strat

Re: This is why encryption isn't popular (1)

shitzu (931108) | about a year ago | (#44529623)

I understand that for hiding things from the government the Estonian one is not an ideal solution. But the original problem involved communicating personal information with some kind of business entoty while securing privacy of said info from third parties while in transit. And for that the Estonian national ID card system is perfect as it is universal and accepted by everyone and all keys are in place and nothing needs to be exchanged.
If you want to hide something from the big brother you should not send the information to a business entity in the same country no matter what the encryption in transit is.

Re: This is why encryption isn't popular (1)

philip.paradis (2580427) | about a year ago | (#44529651)

Mod parent up. I'm genuinely curious what particular brand of idiot would wake up saying "hey, since the government provides me with this awesome crypto, I'll use it for everything" instead of generating his own keys for anything personal in nature.

I mean, heck, one might almost believe that such an individual were receiving telepathic communications from Edward Snowden detailing how to link up with Julian Assange in Afghanistan or Iraq to be schooled in the manufacture of improvised explosive devices for a doctoral thesis on violence while watching television coverage of congressional hearings with Senators and the president, all while pundits drop bombs online so to speak with regard to hypothetical tactics for the handling of terrorist threats in urban areas such as Boston, New York, Chicago, Atlanta, Dallas, San Diego, and other high value targets.

I know, it's all just so crazy.

Re: This is why encryption isn't popular (0)

Anonymous Coward | about a year ago | (#44529657)

Another caveat is that authority creating these cards has the ability to take a copy of all the private keys to themself and use it to decrypt all the encrypted messages.

Even if they don't have the private keys, they do have the CA signing key, so they can generate new keys to impersonate anyone. Additionally, there is presumably some database of public keys which they also control. If the government is investigating someone, they could feed the suspect bogus public keys when the suspect requests keys for other people. So don't trust such a system to protect you from the government. That said, (with the tinfoil hat firmly wrapped around my head) it's likely that public key cryptography is broken anyway. There are 1) known functioning commercial quantum computers and 2) NSA has shown an immense lust for information

Re: This is why encryption isn't popular (1)

Janek Kozicki (722688) | about a year ago | (#44529597)

OMG, I want to live in Estonia.

Re:This is why encryption isn't popular (1)

Agent ME (1411269) | about a year ago | (#44529269)

Enigmail for Thunderbird has a nice interface for keyservers hidden under some menu if I remember right.

Re:This is why encryption isn't popular (0)

Anonymous Coward | about a year ago | (#44529431)

Parent has noted the problem perfectly--but maybe an easy solution would simply be to support a protocol saying "GetPublicPGPKey()", that just returned it to your client transparently? Save a lot of time and avoid having this centralised management BS.

Re:This is why encryption isn't popular (0)

Anonymous Coward | about a year ago | (#44529441)

It's not popular because we enable and encourage ignorance by trying to figure out how to make something that is by its nature not simple, "dead simple". There's no excuse to not know these things in the current climate. If people don't, they are not to be trusted.

Re:This is why encryption isn't popular (0)

Anonymous Coward | about a year ago | (#44529487)

> dead simple and nearly automatic.

it cannot be automatic, key exchange must be made in physical presense, not over untrusted channels

Re:This is why encryption isn't popular (-1)

Anonymous Coward | about a year ago | (#44529613)

1. Bullshit! This is already automatized! If you receive a public key file, and you open it, your graphical shell can tell by its ending (or by using "file" tool) what to open it with. And then, e.g. with PGP, the file itself already contains the information about what encryption method was used. I seems you never used any of that, but the more ignorant you are, the more you choose to open your mouth anyway.

2. That's not how the universe works! You cannot simply dumb down everything endlessly! Otherwise the boolean value "true" would describe the entire universe, and could still be dumbed down. It has to end somewhere! And we don't get to choose that so it happens to match our level of maximum laziness! How about, instead of dumbing things down, YOU *wise up*, for a change?
There's a point of maximum efficiency. But with MacOS / Windows, we are already FAR beyond that, in the land where its "simplicity" actually slows you down and makes things *more* tedious. And with iOS / Windows 8 / Ubuntu Unity / auto-correct / Clippy aka. Siri / ShowView / AOL and other abominations of stupidity, go get your tattoo, Mr. "Not Sure", because we have officially entered the land of Idiocracy, and it’s September... forever...

Let's just all, as a planet, stop caving in whenever some idiot yells that it's too hard for him because he chose to be such a lazy dumbfuck that it's actually harmful to himself.
The right, healthy reaction for an intelligent life form, is to laugh at his failure, offer to help him wise up if he's a friend, use it to your advantage if he's an enemy, and in any case, enjoy your lead in natural selection.

just be straight up (1)

jasper_amsterdam (788332) | about a year ago | (#44528989)

Ask the secretary 'could you please ask your IT department for your' and then use any term, since they'll know.

Re:just be straight up (5, Insightful)

jamesh (87723) | about a year ago | (#44529121)

If the data is important enough to encrypt then the public key is important enough to get properly. Asking the person who answers the phones to send you the key is not properly. Even asking the IT department to send it probably isn't good enough as they are in the perfect position to give you their fake key, intercept the email, decrypt it, then re-send it with the real key to the real recipient.

If you are just worried about casual snooping of your "personal data", then just use something like 7zip and provide them with the password out-of-band.

Re:just be straight up (1)

jasper_amsterdam (788332) | about a year ago | (#44529317)

Good point, the public key being public is key.

Re:just be straight up (2)

icebike (68054) | about a year ago | (#44529335)

This.

Ideally, Public keys should be exchanged in person, or be obtained by a third party that you trust.

Failing that, a public key for some company or person with whom you wish to send encrypted email can often be found on their website. And if its been there for a while, and can be verified by a key server, then it is probably good enough to send them encrypted mail with, but you still don't know for sure who they are.

But at least you know that what you send won't be seen by every prying eye along the route.

But the sad part is that 98 percent of the companies you might deal with haven't a single clue what a public key is.

In my day job we've had our public key published on our Web site for 10 or more years, and get maybe one or two emails a year, usually paying by credit card, from cluefull people.

Once set up, all the major email packages can handle pgp. Shame on them for making it an add-on, but its still available, even for gmail and Hotmail, etc. Just stay away from their web interface and set up a decent email software. You can find these even for Android.

Re:just be straight up (2)

DarkOx (621550) | about a year ago | (#44529557)

Just imagine if we had some system were you could cryptographically secure DNS values, and some defined TXT record were you could expect to get an organizations public key.

This would work nicely because the client could safely and automatically fetch the key, encrypt the message, or just sign it. It would then be ciphered at least as far as the last hop publicly exposed mail server, safe from prying eyes at your ISP, their mail rescue service, etc.

Sure it only works for org level keys, but it would be an easy step in the right direction

Re:just be straight up (1)

michelcolman (1208008) | about a year ago | (#44529505)

You are assuming they know how to unzip a file, and that they are even allowed to use the required application. And anyway, chances are that any zip attachment will not even make it through the malware filter.

What you're asking is what everyone should do imho (0)

Anonymous Coward | about a year ago | (#44528993)

Check if they already offer encryption by looking for a key linked to their public e-mail address on a keyserver. If not, just politely ask whether they offer encryption. Tell them what kind of encryption you support (afaik S/MIME and PGP are the standards). Send them your public key (or point them to keyservers.) Ask whether you can use snail mail if they don't offer encryption. That's what I do, and sometimes it even works :)

PGP won't help you (4, Insightful)

MichaelSmith (789609) | about a year ago | (#44528995)

The recipient will decrypt you data and lose it or possibly misuse it. That is the risk. But by all means ask for a secure way to get the data to them.

Re:PGP won't help you (1)

mysidia (191772) | about a year ago | (#44529011)

The recipient will decrypt you data and lose it or possibly misuse it. That is the risk. But by all means ask for a secure way to get the data to them.

You could always print it out and fax it or snail mail it. Probably more secure. Even if there is now one copy of the data in the trash after they are done with it.

Maybe talk to them about privacy concerns and ask if their operation has an ISO 27001 info security certification to help validate proven safe handling of data.

Re:PGP won't help you (0)

Anonymous Coward | about a year ago | (#44529037)

Right! There're always a less trustworthy party in any interaction. Trust involves at least 2 trustworthy parties.

The submitter is asking about how to politely word a request meant for people who don't understand encryption.

Let loose? Nobody cares.

Re: PGP won't help you (1)

erpbridge (64037) | about a year ago | (#44529073)

The same could be said of any method you use. The end result will be a form in which data is outside your hands, in someone else's. whether paper, fax (also paper), optical media, or electronically transmitted by email, it still needs to be in a human readable and understandable format as the end result. And as a result of that... Unless you use the electronic version and have a document management DRM on it, it will always be in a form which can be copied, distributed, and potentially misused.

The key here is how best to secure it in transit. Electronic transmit, preferably something other than email (secure FTP? ) is much more preferable to a physical transmit. If the data you are transmitting is so secure you want to shield it from prying eyes or interception during transmit, physical is one of the last options you can choose.

Re:PGP won't help you (-1, Offtopic)

sac7895 (2753975) | about a year ago | (#44529265)

i agree with you watch [relaxtube.net]

Just ask directly (1)

Anonymous Coward | about a year ago | (#44528999)

... and since this data is sensitive and personal I'd like to encrypt it before sending to you, to ensure it is protected against unauthorized access from 3rd parties.
What is your preferred encryption method to use for this?
Best Regards,
bla bla bla

This lets them name their method (if they have any); if they don't know you could point them to the PGP website (... could you ask in your IT department what encryption is preferred/used? bla bla bla widespread use of PGP bla bla bla)

IT Dept (0)

Anonymous Coward | about a year ago | (#44529005)

Having a pretty good IT department doesn't mean the companies end users have PGP.

I would ask for their "PGP Public Key" with a note that says if they don't understand what that means to please forward the email to their IT Department.

Then if you get the public key, and you send the data, leave another note in the plaintext portion that says if they don't understand what all the jibberish is to ask their IT Department for help opening the email.

Re:IT Dept (3, Insightful)

viperidaenz (2515578) | about a year ago | (#44529187)

So now a random guy in the IT department has the data, as well as the intended recipient, who then forwards it on in plain text to the PA of the guy who wants it.

Re:IT Dept (1)

icebike (68054) | about a year ago | (#44529353)

The idea is not to actually send encrypted mail to the IT department, but to shame the IT guy into doing something he should have had set up along time ago.

Re:IT Dept (1)

michelcolman (1208008) | about a year ago | (#44529509)

So now a random guy in the IT department has the data, as well as the intended recipient, who then forwards it on in plain text to the PA of the guy who wants it

using hotmail.

It's a lost cause (3, Informative)

symbolset (646467) | about a year ago | (#44529013)

If the secretary can find somebody to decrypt your info, she will handle it improperly. Probably scan it directly to their compromised CMS. This is not a company you want to work for.

Re:It's a lost cause (1)

eneville (745111) | about a year ago | (#44529165)

What is the harm in putting the PUBLIC key into a CMS? The whole point of the public half of the key is that you can place it in the wild.

Re:It's a lost cause (1)

symbolset (646467) | about a year ago | (#44529311)

It's not the public key that's the problem. The secretary doesn't understand. She'll decrypt your CV and everything else you send her, scan it to her email and then post the scan in the CMS. You might as well just print a flyer and hang it on every phone pole.

Re:It's a lost cause (1)

malzfreund (1729864) | about a year ago | (#44529417)

Trying to use PGP in this instance is a lost cause. You risk missing a deadline, you risk that your file doesn't reach the right recipient, you risk that you will be frowned upon, etc. If they encouraged encrypted submissions, they would probably make their public key accessible. Since they don't make the key available (I assume you've done your research), still to what's conventional in the business. Either email unencrypted or send via snail mail (using a courier service).

Pay them to send the public key. (1)

AmbiLobe (2999721) | about a year ago | (#44529457)

Most people are too lazy and confused to use a public key cryptosystem. They need motivation to use their brains. The standard way to motivate lazy people is to pay them to lift a finger to push a few buttons.

Party!!! (2)

c0lo (1497653) | about a year ago | (#44529021)

Attend or organize a key signing party [wikipedia.org] .

Re:Party!!! (1)

icebike (68054) | about a year ago | (#44529379)

Not helpful in obtaining a key with which to send email.

You don't need to trust a key to use it. All you have to do is be assured that the recipient received and was able to read your email. If you communicate with that person via other means you simply ask if they got it.

Re:Party!!! (0)

Anonymous Coward | about a year ago | (#44529617)

Woah. At first glance I read that you were suggesting your slashdot brethren attend or organize a key party [wikipedia.org] .

That would probably not work out well.

If they need the information... (3, Insightful)

rahvin112 (446269) | about a year ago | (#44529031)

If they need the information they should have a secure way to receive it. I just refinanced, the broker had a secure site (SSL password protected file vault type interface hosted on their own servers) with a web interface that I could upload documents to.

If they don't have such a system in place already and routinely request and access peoples personal information your trust is severely misplaced.

Re:If they need the information... (1)

hawguy (1600213) | about a year ago | (#44529085)

If they need the information they should have a secure way to receive it. I just refinanced, the broker had a secure site (SSL password protected file vault type interface hosted on their own servers) with a web interface that I could upload documents to.

If they don't have such a system in place already and routinely request and access peoples personal information your trust is severely misplaced.

That's not a secure system unless you know how it's protected on the other end. If the uploaded files end up on the corporate fileserver that everyone in the office has access to (including any virus that seeks out SSN's on file shares and emails them to the world, or a rogue employee that figures our that he can increase his income by selling SSN's that he's scraped out of the open fileserver), then it's just the illusion of security. Kind of like those websites that say "Your credit card is safe with us, we use 128 bit SSL encryption to protect it!" while the back end emails your card number to the merchant.

But at least that's a step above my broker who sent me a loan doc "protected" by encrypting it with the last 4 digits of my SSN. I started picking up documents in person after that. I asked about PGP and of course, they had no idea what I was talking about.

Re:If they need the information... (4, Insightful)

rahvin112 (446269) | about a year ago | (#44529143)

It's nice you know so much about their system from a single sentence. I especially like the fact that in particular you know so much about their system that it was accessible by anyone other than the loan officer and that you are so certain a virus not only was on their system but that it could scan for SSNs, including of course from scanned documents in PDF format (in other wise a bitmap image).

Do you often speculate so egregiously about something you do not even know the anything about?

You act as if you know intimate details of their IT configuration, security procedures and even employee reliability and you don't even know who the bank was (let alone anything else).

Honestly if I have to worry about the broker (who also happened to be a bank) having employees that are going to run off with my SSN then whether or not the transmission was secure is of little importance. I might add that just because you did it hard copy the same rambling risks you listed still applied to you or do you honestly believe the paper copies you received were the only copies ever made or that those same documents in electronic format weren't stored on their servers?

Re:If they need the information... (2)

Demonantis (1340557) | about a year ago | (#44529469)

I don't think he is outside the realm of reasonable speculation. Sony had their psn servers compromised and had credit card data ripped off. The connections inbetween were complete secure, but the data still got stolen. It also wasn't a rogue employee either. Data protection laws really need to be tightened up and enforced with auditing. A lot of the stuff is almost as good as cash and should be treated as such.

Re:If they need the information... (0)

Anonymous Coward | about a year ago | (#44529633)

It is not a single sentence, and your trust is misplaced. Are you certain there was no mitm attack? Is SSL really secure? Did you enable only tls? Do you know how to break SSL? Ocr exists since forever, now. PDF as scan is broken.

Ignore the employees and your entire trust chain, they don't care more than having employment.

The loan officer is not only person having info you sent, and careful questions will answer this. Audit trail more important than secrecy.

Now you trust sysadmin? You admit more people have your data. How many more?

Re:If they need the information... (1)

hymie! (95907) | about a year ago | (#44529397)

Unfortunately, you have no way of controlling, or even knowing, how the receiving company will handle your private information. The best you can do is protect the actual transmission of the information, which SSL should do for you.

Re:If they need the information... (0)

Anonymous Coward | about a year ago | (#44529437)

That's not a secure system unless you know how it's protected on the other end. If the uploaded files end up on the corporate fileserver that everyone in the office has access to (including any virus that seeks out SSN's on file shares and emails them to the world, or a rogue employee that figures our that he can increase his income by selling SSN's that he's scraped out of the open fileserver), then it's just the illusion of security. Kind of like those websites that say "Your credit card is safe with us, we use 128 bit SSL encryption to protect it!" while the back end emails your card number to the merchant.

With ANY form of secure communication you are reliant on the other end handling the contents appropriately. If the OP hand-delivered hard copies of the information, the other end would most likely enter the information into the same system, where it will be just as vulnerable.

A workstation decrypting a PGP-secured message could just as easily be sharing a decrypted copy of the message with the whole office as a server receiving the message over SSL/TLS, and the workstation is no less vulnerable to information-gathering malware.

How? (3, Funny)

macraig (621737) | about a year ago | (#44529039)

How Do I Request Someone To Send Me a Public Key?

I prefer signal fires myself.

Plot hole (1)

xombo (628858) | about a year ago | (#44529061)

If IT sets it up, won't they have the key?

Switch to an easier technology (5, Informative)

mysidia (191772) | about a year ago | (#44529063)

PGP is beyond the grasp of the average secretary or other end user. Unless you know for a fact that the person disseminating the data is familiar with PGP; you should probably not be asking them for their public key.

I strongly recommend an encrypted PDF, Word Document (.DOCX), or Excel file (.XLSX); make sure to choose a strong password.

I like the Office 2010 strong encryption and use of key stretching to make brute force password attacks hard --- but there is a free of charge reader available for PDF documents, and you should pick a strong password for encrypted documents anyways.

Technically, you could implement DRM rights management services on your end, so the user has to contact your organization's RMS server over HTTPS for a license every time the document is opened, but it requires a trust relationship between orgs, or you having an account for the user.

But the simple password protection is a very nice way to protect it. You can include a note in the e-mail message that you will be calling them to give them the password, so they can see the document.

Then there is no confusion about what a 'PGP key is'. If you _regularly_ exchange a lot of documents with them, then you might ask to discuss using PGP

Re:Switch to an easier technology (2)

jamesh (87723) | about a year ago | (#44529129)

Agree. If you think it's okay for the untrusted secretary or IT department of an organisation to supply the public key then you don't understand public key encryption. Just use a password protected file and supply the password out-of-band.

Re:Switch to an easier technology (0)

Anonymous Coward | about a year ago | (#44529173)

Technically, you could implement DRM rights management services on your end, so the user has to contact your organization's RMS server over HTTPS for a license every time the document is opened, but it requires a trust relationship between orgs, or you having an account for the user.

This is a terrible idea. What self-respecting corporation would store a document in an encrypted format, which they did not have the means to decrypt without external assistance? Consumers may be dumb enough to do this, but any IT department worth their salt wouldn't permit it.

Re:Switch to an easier technology (1)

mysidia (191772) | about a year ago | (#44529501)

This is a terrible idea. What self-respecting corporation would store a document in an encrypted format, which they did not have the means to decrypt without external assistance? Consumers may be dumb enough to do this, but any IT department worth their salt wouldn't permit it.

The other organization's IT department doesn't have a legal say in how you as author of a document choose to license your work to their IT organization. Protection of privacy rights trumps the recipient's rights.

You don't need assistance to open it; the recipient does --- if you rights management services, the recipient needs your assistance (license) to open the document; it's your information and therefore your document, not the recipient's.

You can also control such functions as copy and paste and printing, and expire their access to a rights protected document. Depending on why the other organization needs the information.

Although they may be able to copy information from the document manually; they may do so at their own legal risk.

Re: Switch to an easier technology (1)

Kjella (173770) | about a year ago | (#44529595)

But that company probably have no legal requirement to deal with you either, they'll just insist you submit it their way and if you don't then stop processing your case. Good luck trying to find a lawyer who'll take on non-delivery of a product or service or job application or payout or whatever because you insisted on delivering it in some weird format. The government is in theory better, in practice nobody cares if you don't get your building permit or driver's license or social security number either.

Re:Switch to an _older_ technology (1)

Anonymous Coward | about a year ago | (#44529307)

Use a fax. No, it's not encrypted in transit, but it would likely be more _actually_ secure, as opposed to spending so much time trying to get PGP setup and then screw up something basic... not to mention, people actually know what they are.

Re:Switch to an easier technology (1)

Pav (4298) | about a year ago | (#44529499)

Bitmessage [wikipedia.org] ?

Buying a house (3)

MrEcho.net (632313) | about a year ago | (#44529077)

I ran into this situation very recently, im in the process of buying a house. It was a bit of a shock to me how much personal information they wanted. And most through email. And how my data is being passed along from business to business without good security.

I use good practices on my side like two factor authentication, and ssl on everything, even a bit of pgp. But the other side who knows.

you are pushing shit up hill with that request (5, Insightful)

bloodhawk (813939) | about a year ago | (#44529083)

You are better off just asking for "A secure means to submit your information" and list a few you are happy to use, Maybe they will send you a public key for secure email, maybe a secure web site or maybe they will just say if you are concerned you can get it couriered to them. If they are confused then chances are they have no system in place for dealing with the request and hence not even secure email is any good as that only protects the data in transit which they will certainly load into some HR system somewhere after it gets there anyway.

Re:you are pushing shit up hill with that request (0)

bigstrat2003 (1058574) | about a year ago | (#44529433)

This is probably the best way to tackle it. Although frankly, the real answer is that your personal data almost certainly isn't important enough to bother encrypting it. But if you must be paranoid, then let them choose the best method, because I guarantee you that if you start asking them for a public key their eyes are going to glaze over.

Use protected zip file with password (1)

Anonymous Coward | about a year ago | (#44529091)

Just compress your data in a zip file and protect it with a reasonable long password. Send it by e-mail and communicate the password to the recipient by phone.

You won't have to explain anything other than the receiver of the communication, it is easy and the receiver will have the means to decrypt the zip file for sure.

Re:Use protected zip file with password (1)

eneville (745111) | about a year ago | (#44529183)

You can do similar with PGP symmetric passphrase protected files (gpg -c). Has the advantage of giving receive a bit more clue to what is out there.

Asking Slashdot for advice on being polite?? (4, Insightful)

bscott (460706) | about a year ago | (#44529095)

If you don't have the social skills to phrase a polite question, Slashdot is perhaps not the ideal place to go looking for advice...

Technical issues with giving anyone your private key aside (I can't think of any reason to give it out to someone no matter how much you trust them) just explaining things clearly should work for any reasonable person:

"I have no problem with you having my personal key, but I am concerned about the integrity of the data while in transit. I would appreciate it if you can supply me with a public key for your organization, then I will be able to encode my key so that only you can decode it. This will ensure that our mutual privacy won't be at risk due to using an insecure communication system such as Email. Thanks very much!" etc

Re:Asking Slashdot for advice on being polite?? (1)

bscott (460706) | about a year ago | (#44529171)

Whoops - I misread the post - they're not asking for your private KEY, just private data... ah well, most of the suggested sentence structure still holds.

We NEED a Dead Simple PGP solution (1)

thelukester (2722207) | about a year ago | (#44529133)

Ten years ago, my company had a policy to use PGP and Symantec PGP software installed on all computers. Even the engineers had issues and failed to use it regularly. I remember having to logmein to machine in China to try to figure out why they couldn't read an email with our designs. This is why PGP never took off.

Until the tools take 5 min to setup. And encryption/decryption is as easy as clicking a checkbox in your mail client, PGP will never take off. Things like the public key directory have to handled transparently to the user.
It's too bad Mozilla dropped support for Thunderbird. Tight integration with GnuPG + cloud public keys could have made mainstream PGP a reality.
-----

Companies don't have public email keys (1)

gnasher719 (869701) | about a year ago | (#44529145)

Every recipient has his or her own private/public key pair. You send an encrypted message to one (or more recipients), and they will be able to read it, nobody else.

The easiest way to get someone's public key is to convince them to send you a signed message. That is, if your email software can handle it. A signed message contains the sender's public key, and hopefully your email software allows you to stash that key away (automatically) and from then on send encrypted messages to that person.

Chances are that they have private/public key pairs that use a company root certificate, so you wouldn't be able to verify that certificate, which might throw a spanner in the works.

A Smart Billboard Ad (0)

Anonymous Coward | about a year ago | (#44529149)

If you don't use GPG...

(photo of a lock and key)

FUCK YOU!

Re:A Smart Billboard Ad (1)

auric_dude (610172) | about a year ago | (#44529489)

If you don't use GPG...

(photo of a lock and key)

FUCK YOU!

No, you have been, you are being and you will be fucked.

Re:A Smart Billboard Ad (0)

Anonymous Coward | about a year ago | (#44529531)

why so serious?

Easy (-1, Offtopic)

sociocapitalist (2471722) | about a year ago | (#44529157)

Send the public key in a normal open email and confirm the hash by voice.

It's the private key that's sensitive and should be kept secure.

Simple. Don't. (2)

Xiph1980 (944189) | about a year ago | (#44529193)

I'm sorry to say, but the simple fact of the matter is that PGP/GPG isn't used anywhere in corporate life. Not even in banking-related companies.
For one, people don't perceive email as something that can easily be snooped, and if they do they'll think it's something like a chance encounter as if it's a regular piece of mail where you have to be at a certain point at a certain time to be able to snatch the mail, plus have to have a reasonable idea what you're looking for as a mail thief.
Secondly, and I cannot stress this enough, it's a f'ing drag to use. It's not easy to install. It's not easy to set up, and it's far from user friendly on a day to day basis.

Besides the fact that email encryption isn't commonplace, as long as you aren't sending you pin number or medical data on a regular basis (daily), why bother to be honest. You'll get a stamp as "that weird guy" if you start about PGP etc, and that'll last. If you want to send it securely, just wrap it in an encrypted container, like a ZIP or RAR file and phone them the password.

Re:Simple. Don't. (1)

kencf0618 (1172441) | about a year ago | (#44529291)

Using the NATO phonetic alphabet, I presume.

Forget it (except for PGP) (1)

DrXym (126579) | about a year ago | (#44529237)

S/MIME encrypted email is virtually dead. It was and still is badly implemented in email software (e.g. stuff like searching encrypted messages is usually totally broken) and the ludicrous efforts required to obtain and maintain a key render it useless to all but the most determined person.

At least with GPG/PGP you can roll a key with no effort and there are public key servers to upload the public key. Persuading someone else to generate such a key and use it is another matter. Probably needs a strong business case which can be impressed on the other person.

Not Proper (0)

Anonymous Coward | about a year ago | (#44529245)

I seems doubtful that anyone but the IT department would have any idea what you are asking for, who probably wouldn't want to deal with you directly without direction. You could ask them to liase you to the IT department, that might get things going.

Or send a physical disk. Unless you're worried about the courier being jumped, it's probably quite safe.

No, they don't. (2)

ledow (319597) | about a year ago | (#44529281)

"An organization wants me to send them my personal data by email."

"But they do have a pretty good IT department"

No. They don't. Or their IT department is seriously underpowered in terms of getting through to their staff. Don't send personal data by email. If they don't have a system to let you do this (e.g. secured web form, etc.) then their IT department is already a bit of a failure. If they do, their staff would use it and tell you about it.

If you want to ask, just ask. "I'm not going to send personal data by unencrypted email - what is your procedure for encrypted email?"

Chances are, they won't have one and will just ask you to send the details unencrypted or by another method entirely.

Dude! (-1)

Anonymous Coward | about a year ago | (#44529287)

Just send a self extracting encrypted file. Encrypted using a strong password and good encryption. Send the password by some other means, like phone/fax.

Re:Dude! (0)

Anonymous Coward | about a year ago | (#44529323)

Robert Clayton Dean: What the hell is happening?

Brill: I blew up the building.

Robert Clayton Dean: Why?

Brill: Because you made a phone call.

- http://www.imdb.com/title/tt0120660/ [imdb.com]

Google Docs (0)

Anonymous Coward | about a year ago | (#44529289)

Put it on google docs and share it to them from there.

Who cares? (1)

manu0601 (2221348) | about a year ago | (#44529333)

Who cares? That data will end up in a NSA datacenter anyway.

Key (-1)

Anonymous Coward | about a year ago | (#44529349)

Virtual-Notary.Org hereby notes that on
    Date: Saturday August 10, 2013 05:10.17 EDT (UTC-0400)

a random drawing in the range [1, 100000], inclusive, based on
a hardware source of true randomness, yielded the following decision.

    Random Value: 50276

God says...

82:8 Arise, O God, judge the earth: for thou shalt inherit all
nations.

83:1 Keep not thou silence, O God: hold not thy peace, and be not
still, O God.

83:2 For, lo, thine enemies make a tumult: and they that hate thee
have lifted up the head.

83:3 They have taken crafty counsel against thy people, and consulted
against thy hidden ones.

83:4 They have said, Come, and let us cut them off from being a
nation; that the name of Israel may be no more in remembrance.

83:5 For they have consulted together with one consent: they are
confederate against thee:

Anal & Vaginal Placement (-1)

Anonymous Coward | about a year ago | (#44529361)

after sex has concluded, insert a small balloon in your lover's rectum (or vagina), allowing for the tip to remain outside of the anus. inside the small balloon is a small flash memory chip containing the code.

Why worry? (1)

hymie! (95907) | about a year ago | (#44529381)

I don't see why you should be concerned about the request or how "polite" it is. A simple statement to the effect that "I do not send personal information over the Internet without encryption. Please send me instructions as to how your company handles encrypted email. My preferred method is GnuPG, and this will be the quickest and easiest way from my end, but I can try to accommodate other methods."

Surely you use DropBox, Google Drive, or other (1)

XMKT (2664229) | about a year ago | (#44529391)

Create folder, then put the relevant documents into that folder and wait for them to sync. Get person on the phone... "What's your email address?" Share folder with them and tell them they will have 30 minutes to download it. Remove their access to the folder - rinse and repeat to new person(s) as required. Unless you actually want to provide the document in a protected format, this avoids all issues with software compatibilities and is pretty secure, except for what the recipient might do with it after they have it, but then if they have been able to decrypt it with their personal key, then they could take screenshots if nothing else to compromise your security...

That's pretty unheard of (1)

Anonymous Coward | about a year ago | (#44529459)

You must be pretty new to the business world. I've had a PGP/GPG key ready to use since 1995. You know how many times I've used it for anything less security critical than the company's main password list? None.

The front desk girl is just going to ask her boss what the heck you're talking about, and he's going to tell you where you can stick your key. You will look like a crackpot trying to get them to secure your social security number with GPG. Just let it go and fight some real battles that you can win.

EXPLICITLY ask them NOT to send the private key (2)

lkcl (517947) | about a year ago | (#44529521)

this is really important. people who don't know what ssh keys are will typically send you the id_rsa (private) key file.

IT IS VERY IMPORTANT that you say to them EXPLICITLY and VERY CLEARLY, "please send me the public key file *only*. DO NOT send me the PRIVATE key. you can identify the private key because it is named xyz. i ONLY want you to send me the PUBLIC key, it is named xyz.pub. if you send me the private key, you will have to destroy it and we will have to start again, so ONLY send me the PUBLIC key, ok?"

and get them to acknowledge what you've said. do not be afraid to "piss them off" by having to be so absolutely specific. make sure you end the sentence with what you *want* them to do, *not* what you *don't* want them to do. depending on the person they could potentially remove the "negative" by their subconscious and do exactly what you ask... with the words "no", "not", "don't" etc. removed.

also if you want to be paranoid then use the signature-thing (fingerprint). get them to read it out to you over the phone (not by email).

Makes me wish there was a followup option... (1)

larwe (858929) | about a year ago | (#44529587)

This is one of those Slashdot stories where I wish there was a "and they all lived happily ever after?" button on the story where we could all get an instant link to a paragraph or two about how the story finally turned out... because my money is on "they told me to fax it, so I visited the dumpster behind the Smithsonian, found an old fax machine, and sent it to them". It would have been helpful if you could have specified what size of organization (two guys and a lhasa apso? six billion dollar multinational?), and what the relationship is - are you a client? a prospective employee? illegitimate father of the CEO's daughter's new baby? Are you sending them your social security number, DOB and such, or are you sending them the biometric information they need to disarm the nuclear bomb you planted in their cafeteria? The answers to those questions constrain variables like a) the actual value of this private information to the outside world, b) the degree to which the company will feel exposed to liability risk if your data is leaked in transit, and hence their motivation level for doing something about it, c) the likelihood that they actually have a formal key exchange infrastructure in place, d) the likelihood that there is someone actively intercepting this communication line looking for this type of information, among many other things. Since you don't know the answers to these questions, I would call, not email, the person you're supposed to send this data and say "I'm uncomfortable sending the naked pictures you requested via unencryped email on the Internet. Is there a secure way I can submit them?" If they don't have an immediate answer, you can then suggest examples - but as I indicated in my opening sentence, I think the likelihood is that your path of least resistance is fax, assuming whatever you need to send them can be faxed. Of course, whatever route your data takes, you are then totally at the mercy of their internal document security procedures. All security is an illusion. The document I really don't like submitting electronically (but am forced to all the time) is the W-9 Proof of Taxpayer #. For a $50 payment when a TV station bought one of my YouTube videos, I had to email this (nothing else was accepted and no encryption was possible). Normally I prefer to send this form via snail mail, but air dates yada yada.

WRONG WRONG WRONG... (0)

Anonymous Coward | about a year ago | (#44529635)

Why do you want their key?
Send them your keys. That's the safest way. This way you're 100% in control.

S/MIME (2)

X10 (186866) | about a year ago | (#44529641)

I use www.djigzo.com. It's open source, it uses S/MIME, it's server based, and it's easy to use.

simple answer.. don't (0)

Anonymous Coward | about a year ago | (#44529649)

just fax the data to the secretary.. that's what they're there for, to handle administrative tasks such as receiving faxes and information and routing to appropriate persons.

Why don't you use something like 7-Zip encryption? (0)

Anonymous Coward | about a year ago | (#44529659)

Instead of making the email process a real mess for both party, with all the problem that come with it, why not just send all personnal info in a encrypted file container and then phone the destination and give em the proper password and/or way to decrypt the informations ?

That way easier that assuming that they IT department would even want to mess around GPG/PGP, depending on their country laws, etc...

Search for Public Keys (0)

Anonymous Coward | about a year ago | (#44529661)

Just search for the companies domain at http://pgp.mit.edu/

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>