This is an old revision of the document!
Table of Contents
PGP and GPG
I will talk on this page of everything related to security and authentication on the Internet.
Personal use
PGP and GPG are two compatible asymmetric encryption and signing software. Their features are:
- encrypting emails or files: you use the public key of the receiver to encrypt the message so that only the receiver can decrypt it (using his associated private key).
gpg --recipient <user-id> --encrypt <file> gpg --decrypt <file>.gpg
- signing emails or files: you use your own private key to sign the message so that anyone can verify with you public key that you are the author of the message, and that the message was not altered.
gpg --detached-sign --armor <file> gpg --verify <file>.asc
For emails, you should use some software to automatically manage your keyring and sign, verify signatures, encrypt and decrypt messages, like the Enigmail addon with Thunderbird.
Trusted timestamping
If a trusted third party signs with its private key a document of yours, then it will prove the integrity and the timestamp of your document.
There are a few easy enough to use services for individuals:
- https://www.universign.eu/: legally certified, you have 10 free seals.
- http://www.certinomis.com/ and http://www.cachetelectroniquedelaposte.fr: legally certified, but no online registration…
- http://www.itconsult.co.uk/stamper.htm: probably not legally certified, but trustworthy enough for some use.
- http://time.certum.pl/: untested
- http://www.opentsa.org: experimental and not really certified
You can also use a software client to use the RFC 3161 protocol, with a server providing the service:
- https://sites.google.com/site/ntpserverspl/client-tsc-rfc3161: binary only, untested
File size problem
One problem I encountered with all providers I tried is that they limit the file size (at least for free services), around 1 MB.
So what I do is that I sign the large file with my own PGP key, then I officially timestamp my signature. My PGP key doesn't need to be reliable, only the algorithm used to sign with it needs to be reliable in order to prove that the file was not modified. But of course it is better to directly timestamp your file if you can do so. Maybe encrypt it before as you have to send it over the Internet.