Authentication is the other major function of public key encryption, besides privacy. Using PGP, any person can digitally sign any computer file. Any other PGP user can then compare the digital signatures.
This HTML file, and the others that comprise my Web pages, contain my PGP signature. Your Web browser will probably let you view the source of this page. At the tail end of it you will see a block of seemingly random characters. That is my signature, in a form that you cannot read but your computer can.
You recognize a handwritten signature because it looks like others you have seen from the same person. But familiarity with a signature does not make it easy for anyone to make one that looks much like it. PGP recognizes a digital signature by verifying that it matches, in a certain mathematical way, both the file to which it was applied and a specific public key. But even though the public key may be widely known, it does not make it possible for any computer to forge a signature that matches it in my lifetime (after which it does not matter anyway). Just as any specific handwritten signature can be made by only one person (at least in theory), any specific PGP signature can only be made with the use of the corresponding secret key. And a PGP secret key is generally a closely guarded secret of only one person.
A PGP signature is much like a hand written signature. It may mean something to you if you know whose signature it is. But just what it may mean depends a lot on what it was applied to.
If you happen to have known me, or known of me, before you accessed these pages, and if you have a copy of a key that you can somehow be sure is mine, then you can verify that these pages came from the person you know and not from an imposter.
Actually, I don't know of anyone else who has ever claimed to be Peter Midnight or who has masqueraded as me in any way. But if anyone ever did, they would surely distribute a key which they had falsely identified as mine. Therefore, verifying these signatures with the key you got here proves nothing, unless you can trust any of the other people's signatures on that key.
But if you have my key from any other source, you will have a pretty good indication that these pages really did come from the same guy as that key. And if any practical joker ever edits my pages behind my back, it will show. Unfortunately, however, it will not be obvious. Please do not hold me accountable in any way for anything you may read in these pages unless you have bothered to verify my signature.
Now that your brain has been softened up a bit, try this step by step procedure:
If you don't have it from a more trusted source, take it from here. You may be able to improve your confidence in it later. Please be sure you don't have more than one key identified as mine on your public key ring. You may, however, see my name listed more than once on the same key, with different e-mail addresses. You may also see my name listed as a signer on other people's keys.
Just how you do this will depend on what computer and operating system you use. But please don't cut and paste one into Windoze Write or otherwise convert it into a word processing file. PGP will recognize the formatting information this would add as an alteration of the file. It would then tell you that the signature was bad, even if the file had been valid to start with.
This part is a little tricky. (Like the rest of this wasn't!) Even though I have signed an image, that does not prove it was the one I intended for any particular reference in an HTML file. Fortunately, when PGP checks a signature, it tells you the date and time that were indicated when the signature was made. This time stamp can uniquely identify each signature, and thus the file to which it applies. I have included the correct time stamps for references that I have signed, both below and in comments in my HTML files. (I am still looking for a way to make these references easier for you to verify.)
I have not signed everything to which I have referred. Some of those things are other people's files, which they may change from time to time without telling me. But here are the signatures I have made for you: