Cryptographic Identity
/ 2 minutes
I’m a longtime advocate for the use of strong cryptography. It’s a topic that’s excited me since I was young. I feel lucky to have lived through an information and privacy revolution thanks in large part to the cypherpunks. The world owes them a huge debt of gratitude. They paved the way for us, and we’ve all greatly benefited.
My Public Keys
Here you can download my personal and work public keys. I mostly use these for signing email and code commits, but you’re welcome to email me encrypted content. Each includes an SHA-224 hash to verify the file’s integrity; and each is available on public keyservers. Note that these keys are cross-signed.
Personal
- key file: 🔐
3A8B02E4C8C508B615424A36943ECEA0A1FD4EEC
- SHA-224: #️⃣
0194ac9ad18ad11a6c71b8f24e05865a35cd49b8ed61adbe065e0090
- from keyservers: 🗝️ keyserver.ubuntu.com, 🗝️ keys.opengpg.org
- from DNS:
dig +short steve._pka.waits.net. TXT
Work
- key file: 🔐
A68958BC5F0288720ED6C5B65072E23BCF20C4EB
- SHA-224: #️⃣
e649c35ca1a09dd774ab207b23e9d6f6cfb4c9efb9de14148a20643b
- from keyservers: 🗝️ keyserver.ubuntu.com, 🗝️ keys.opengpg.org
Importing My Keys to Your Keychain
You can do this easily with the GUI tool of your choice, like GPGTools for macOS. But to do it from the command line with GnuPG, start by downloading the key file (personal.asc.txt
used in this example) and then run:
gpg --import personal.asc.txt
My Signature Profile
The following signed text is my digital signature profile. Its purpose is to prove that the person who controls the keys listed above is also in control of the accounts listed in the signature. It’s assumed, but not guaranteed that I am the sole person controlling those keys. This adds confidence, but is not foolproof.
When you visit any of the proofs listed in the signature you should see either:
- a link back to this page,
- or a token similar to
openpgp4fpr:3A8B02E4C8C508B615424A36943ECEA0A1FD4EEC
If you don’t, I might not own that page/account/domain/whatever. Or, I may have forgotten to set up the link. You can email me if you’re curious.
This signature profile is inspired by keyoxide.org.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi, I'm Stephen Waits <steve@waits.net>. This is my signature profile.
Verify this profile at https://swaits.com/cryptography under the "My Signature Profile" section.
dns:hackers.org?type=TXT
dns:swaits.com?type=TXT
dns:waits.net?type=TXT
proof=https://gist.github.com/swaits/4fe94be23b28d57e0eb48c15bbc1ba8e
proof=https://gitlab.com/swaits/gitlab_proof
proof=https://hackers.org/@swaits
proof=https://lichess.org/@/swaits
proof=https://lobste.rs/u/swaits
proof=https://news.ycombinator.com/user?id=swaits
proof=https://sr.ht/~swaits/
proof=https://twitter.com/swaits/status/1643359047528349696
proof=https://www.linkedin.com/in/swaits/
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCAAuFiEEOosC5MjFCLYVQko2lD7OoKH9TuwFAmQsk24QHHN0ZXZlQHdh
aXRzLm5ldAAKCRCUPs6gof1O7BEEC/0VbDNdEvzVp0YrM+D/7Z1NpfhChIoUNHvr
C+SHXKBvGbg0JuXL3jUvKXYbs8vyQIr4ERGB6xs1YB846sv2LU0Nar2Qm0QNDelT
I/B1GuH2LinZJXtU+QglMJbFt7ihXusdIcGdXuwJ6QH0AwzVVZf0gSn9ghCKsNdM
+l+67NUaIqDPBx6OeE+ZD6W1sDbwNRwuDkmL1aELKjb4h5Wy+Li+6a9UDr1jkVLF
7qWyVesZH221GeW3eIQFk+u7a2KDW+ZHlQuo6ku2JvigxzBIVMOQiNvHkXqzHqcQ
x/PB7AyBwmopr7ScMfyG6zJWWRySzkJMMCgVbstxFzuzHVzJaSX0fpfIIO7Yso5t
yJabGxu31WlxwoU+Juv+CfowRBd0ZsZ8kJ0U9LRBCv7EYC/T07IaSaqIn/4mJ3da
BzhYl0nUoM/RAXjF/oYonJgfylj3jP7+9LxDrOv6XVi7D0BcOcvSSBExxWf3sHdu
5xoGUBxY2mzShQVD9ioJll3PKqdZxuo=
=e6XM
-----END PGP SIGNATURE-----
Verifying this Signature
Assuming you imported my personal key as listed above, you can verify this signature by running:
gpg --verify signature-profile.asc.txt
You should see output like this:
gpg: Signature made Mon Apr 3 14:25:21 2023 MDT
gpg: using RSA key 3A8B02E4C8C508B615424A36943ECEA0A1FD4EEC
gpg: issuer "steve@waits.net"
gpg: Good signature from "Stephen Waits <steve@waits.net>" [ultimate]
gpg: aka "[jpeg image of size 10613]" [ultimate]
Note that the signing date may differ as I update this signature profile.