Introduction

You may have received an email from Empiria with lines at the top similar to:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

and a section at the bottom which looks something like:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkmr2UAACgkQmnCt8c1NQ98pcACdEpZpqJYifkH0NvE6krEjzA9T
VoMAn1HIKzpRrnveSEizzQBLMANkh648
=acdx

-----END PGP SIGNATURE-----

 These two blocks form a digital signature for the message which can be used to verify that:

• The message genuinely came from Empiria
• The content of the message has not been altered

The Requirement

If we were to send a written letter on company headed paper, one of our directors would sign that letter so that the recipient could verify that it was genuine. We believe that email and other electronic communication from our company should provide at least the same level of confidence.

This belief is strengthened by the prevalence of spam, phishing and other malicious attemps to use email fraudulently.

The Technology

Our signatures are produced using tools which adhere to the OpenPGP standard. Whilst there are other technologies available, we chose OpenPGP as it is mature, stable and freely available. There are a variety of software tools which adhere to the standard for all major operating systems and many of these are completely free of charge.

You can read more about the OpenPGP standard at http://www.openpgp.org

OpenPGP is a protocol for encrypting email using public key cryptography. It is based upon a software tool called PGP which was originally written by Phil Zimmerman and released in 1991. There is an excellent explanation of public key cryptography and PGP itself at the International PGP website: http://www.pgpi.org/doc/pgpintro

There are also some very good Wikipedia articles:

• http://en.wikipedia.org/wiki/Pretty_Good_Privacy
• http://en.wikipedia.org/wiki/Public-key_cryptography

Using The Signature

Software Tools

In order to use our signatures, you will need a software tool which implements the OpenPGP standard.

The toolkit we use is based upon 'GNU Privacy Guard' which is available free of charge from http://www.gnupg.org for Windows, Linux and MacOS systems.

On our windows based laptops, we use a package called 'Gpg4win' which bundles the Gnu Privacy Guard engine with some useful utilities to integrate it into our email system. Gpg4win is available free of charge from http://www.gpg4win.org

Other software implementations are listed on the Wikipedia article and will work perfectly with signatures created by Empiria.

Public Keys

You will also need the public key for Owen, Cath or John. We have published our keys on the network of PGP key servers (e.g. http://wwwkeys.pgp.net ). Most of the software tools will allow you to search the key servers using our email address for the relevant key. Some will only allow you to search using the key's unique ID which are:

• Owen:  0xCD4D43DF
• Cath: 0xA6E1FBD2
• John: 0x363BBE90

If, for whatever reason, you are unable to retrieve the correct key, please reply to the original email and we will glady send it to you directly.

Once you have your chosen toolkit installed and have obtained our public keys, you should be able to verify that one of our signed messages is indeed genuine and has not been altered since it was sent.

Fully Encrypted Email

If you wish to go one stage further and use fully encrypted email to communicate with us (the equivalent of putting our company's correspondence in sealed envelopes), we are happy to do so provided you use the OpenPGP standard.

Simply let us know that you wish to use the technology and, once we have exchanged public keys, we'll encrypt and sign the content of any email we send to you.