http:// www.jms1.net / pgp_keys.shtml

PGP Keys

I have been using PGP for many years. At first it was just something cool to play with, however I've been building mail servers and computer networks for many years- I know first-hand, exactly how easy it is for ISPs, "hackers", corporations, and governments to read other peoples' email.

And since there is no realistic way to prevent this from happening, it only makes sense to encrypt my emails whenever possible, so that even if they do happen to look at my message (out of the billions of emails which cross the internet every day) they won't be able to read it.

If you ever need to send me email, even if it's not something which needs to be private, I encourage you to encrypt it using one of the "Current keys" listed below, just on principle.


Current keys

This is the key I use for personal stuff. It is attached to my Keybase account.

pub rsa4096 2019-03-21 [SC] [expires: 2025-01-01] E3F7F5F76640299C5507FBAA49B9FD3BB4422EBB uid [ full ] John Simpson <jms1@jms1.net> uid [ full ] John Simpson <kg4zow@mac.com> uid [ full ] John Simpson <kg4zow@kg4zow.us> sub rsa4096 2019-03-21 [E] [expires: 2025-01-01] 3C8EC9C7B067A4C542F9727D795C2CF824364755 sub rsa4096 2019-03-21 [S] [expires: 2025-01-01] 77DEBB0C8C7FBAFF1E0E70DCE9E44ED30E2F2445 sub rsa4096 2019-03-21 [A] [expires: 2025-01-01] 7A6B95B6BF897A6497165AE436823233F8D09EB7

This is the key I use for things related to my "day job".

pub rsa4096 2019-03-21 [SC] [expires: 2025-01-01] 14F8F8DF7FE86329094D6DA04630606F0B2F31A6 uid [ full ] John Simpson <john.simpson@hillrom.com> uid [ full ] John Simpson <jms1@voalte.com> uid [ full ] John Simpson <john_simpson@baxter.com> sub rsa4096 2019-03-21 [E] [expires: 2025-01-01] 3F3DAB40AD5AE10491679EC5BBBED5820D44C7C7 sub rsa4096 2019-03-21 [S] [expires: 2025-01-01] F3CC037161F05E7A70934DB6C1478D170340C405 sub rsa4096 2019-03-21 [A] [expires: 2025-01-01] CF4475895CEE0F90DF7CA27C9BFA9EE0AAFC107C sub ed25519 2022-01-24 [A] [expires: 2025-01-01] FE2E073B2D97B6F640858D92D1AFD1A93C23AB00


Older keys

This key expired 2023-01-01. I'm not planning to renew it.

pub rsa4096/0xA7EC1FBAB3B50007 2017-11-27 [SC] [expires: 2023-01-01] BDC84CA878FD827A4C0BB361A7EC1FBAB3B50007 uid [ultimate] John Simpson <jms1@jms1.net> uid [ultimate] John Simpson <kg4zow@mac.com> uid [ultimate] John Simpson <jms1@voalte.com> uid [ultimate] John Simpson <kg4zow@kg4zow.us> sub rsa4096/0x2A9EB3A620A1C087 2017-11-27 [E] [expires: 2023-01-01] sub rsa4096/0xCE5735E1E04C1374 2017-11-27 [S] [expires: 2023-01-01] sub rsa4096/0xA634470ECECC41E0 2017-11-27 [A] [expires: 2023-01-01]

This key has not been revoked, but I plan on doing so at some point.

pub rsa4096/0x6B2EDC90B5C6DC30 2017-05-27 [SC] 6353320118E1DEA2F38EAE806B2EDC90B5C6DC30 uid [ultimate] John M. Simpson <jms1@voalte.com> uid [ultimate] John M. Simpson <jms1@jms1.net> sub rsa4096/0x297E5961AB566594 2017-05-27 [E]

This key has not been revoked, but its original expiration date was 2011-08-03. I have updated it to not expire, but not everybody got the update, and some people consider it expired. In the interest of avoiding confusion, and because I wanted a longer key, I have stopped using this key and now use the one above instead.

pub dsa1024/0x8F8D8C9A9014AD1A 2008-08-03 [SC] 5AA49FD4D245733518C2F3D98F8D8C9A9014AD1A uid [ultimate] John M. Simpson <jms1@jms1.net> uid [ultimate] John Simpson <jsimpson@atlantic.net> uid [ultimate] John Simpson <jms1@atlantic.net> uid [ultimate] [jpeg image of size 5148] uid [ultimate] John Simpson <jms1@jms1.net> sub elg4096/0xC6655C940F6C5215 2008-08-03 [E]

This was the first key I generated "for real", with the intention of sharing it with the world and using it on a regular basis. I haven't used this one since 1999-2000, and in fact I have forgotten the passphrase for its secret key, so I can't create a revocation certificate for it. Please don't use this key anymore.

pub 1024R/2FB5EDA9 1996-04-06 John Simpson <jms1@spamcop.net> Key fingerprint = 8F EA B0 95 6C C4 02 F8 11 1D BE 62 48 09 05 52 uid John Simpson <jms1@depeche.mode.net> uid John Simpson <jms1@jms1.net>


Revoked keys

These are old keys which I have decided I will never use again. If you happen to have one of them in your keyring, please add the revocation certificates as well, so that your PGP client won't try to use them by accident.

Revoked 2008-08-04 pub 1024D/3306FCFB 2002-02-27 John Simpson <jms1@jms1.net> Key fingerprint = 3E71 7105 6DE0 EFA1 00B5 B12D 101F 5173 3306 FCFB uid [image of size 4420] uid John Simpson <jms1@spamcop.net> sub 4096g/71CF8D66 2002-02-27

Revoked 2008-08-04 pub 1024D/9EDD51D9 1998-01-05 John Simpson <jms1@jms1.net> Key fingerprint = 47EC DE79 2527 83E9 08DB 7E75 708D 7E9E 9EDD 51D9 uid John Simpson <jms1@depeche.mode.net> uid Thawte Freemail Member <jms1@depeche.mode.net> uid [image of size 4420] uid John Simpson <jms1@spamcop.net> sub 2048g/8C0A413C 1998-01-05


Notes

YubiKey

My current PGP keys are physically stored on YubiKeys. (I do have backups of the secret keys, securely stored in multiple locations.) The YubiKey stores the secret keys in a "secure element", similar to the secure elements where newer phones and computers store things like credit card numbers and biometrics (face prints, fingerprints, etc.) Keys can be uploaded into the YubiKey, but there is no way to download keys out of the YubiKey.

Without going into a bunch of technical detail, all of my "current" PGP keys have separate signing sub-keys. The YubiKeys have the secret keys for these sub-keys, and specifically do NOT contain the secret key for the primary. This means that, using the YubiKeys, I am able to do everything except the following operations, which can only be done using the primary key:

Renewing keys

Since I generally "extend" each key for one year at a time, this means that once a year I have to boot up Tails without connecting it to any network, read in a backup with the actual secret keys, and run commands like this for each PGP key (using "BDC84CA878FD827A4C0BB361A7EC1FBAB3B50007" as the key ID) ...

After doing this for each key, I copy all of the xxx.pub.asc files to a "normal" USB stick, and shut down Tails. Note that I don't need to update the backups - the secret keys for the primary and sub-keys don't change (unless I generate new ones on purpose), and the certifications which set the new expire date are contained within the "xxx.pub.asc" files.

Then, on any computer where I need the public key, I can "import" the new "xxx.pub.asc" files using a command like this...

Assuming the keyring already has an older version of this key, this will update the key's expiration date within that keyring, making it "valid" for another year. And if it didn't have any other version of the key, this will add it, with the new expiration date.

I also upload copies of the "xxx.pub.asc" files to my web server, so they're downloadable using the links near the top of this page. 😁